CNN-based DGA Detection with High Coverage

Zhou, Shaofang; Lin, Lanfen; Yuan, Junkun; Wang, Feng; Ling, Zhaoting; Cui, Jia

doi:10.1109/isi.2019.8823200

Cited by 18 publications

(9 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With the emergence of deep neural networks, the results of inline DGA mitigation have provided high accuracy [29] as well as reduction in real-time latency which is essential for network perimeters that cannot tolerate botnet communication, such as Internet service providers or point of sale networks. Accordingly, inline DGA detection systems has become the topic of extensive academic research, and it resulted thus far in DGA classifiers that identify algorithmically generated domain (AGD) names in real-time (inline) and with high accuracy using deep convolutional neural network architectures [6], [14], [38], [40], recurrent neural network architectures [18], [31], [34] and other architectures [16], [32], [36].…”

Section: Introductionmentioning

confidence: 99%

MaskDGA: An Evasion Attack Against DGA Classifiers and Adversarial Defenses

2020

View full text Add to dashboard Cite

Domain generation algorithms (DGAs) are commonly used by botnets to generate domain names that bots can use to establish communication channels with their command and control servers. Recent publications presented deep learning classifiers that detect algorithmically generated domain (AGD) names in real time with high accuracy and thus significantly reduce the effectiveness of DGAs for botnet communication. In this paper, we present MaskDGA, an evasion technique that uses adversarial learning to modify AGD names in order to evade inline DGA classifiers, without the need for the attacker to possess any knowledge about the DGA classifier's architecture or parameters. MaskDGA was evaluated on four state-of-the-art DGA classifiers and outperformed the recently proposed CharBot and DeepDGA evasion techniques. We also evaluated MaskDGA on enhanced versions of the same classifiers equipped with common adversarial defenses (distillation and adversarial retraining). While the results show that adversarial retraining has some limited effectiveness against the evasion technique, it is clear that a more resilient detection mechanism is required. We also propose an extension to MaskDGA that allows an attacker to omit a subset of the modified AGD names based on the classification results of the attacker's trained model, in order to achieve a desired evasion rate.

show abstract

Section: Introductionmentioning

confidence: 99%

MaskDGA: An Evasion Attack Against DGA Classifiers and Adversarial Defenses

2020

View full text Add to dashboard Cite

show abstract

“…The experiments demonstrate that our model achieves perfect performance. Future work will consider the optimization of its performance and compare it with the recent work [ 37 , 38 , 39 ] to evaluate the strength of the model.…”

Section: Discussionmentioning

confidence: 99%

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Liu

Zhang

Chen

et al. 2020

Entropy

View full text Add to dashboard Cite

Domain generation algorithms (DGAs) use specific parameters as random seeds to generate a large number of random domain names to prevent malicious domain name detection. This greatly increases the difficulty of detecting and defending against botnets and malware. Traditional models for detecting algorithmically generated domain names generally rely on manually extracting statistical characteristics from the domain names or network traffic and then employing classifiers to distinguish the algorithmically generated domain names. These models always require labor intensive manual feature engineering. In contrast, most state-of-the-art models based on deep neural networks are sensitive to imbalance in the sample distribution and cannot fully exploit the discriminative class features in domain names or network traffic, leading to decreased detection accuracy. To address these issues, we employ the borderline synthetic minority over-sampling algorithm (SMOTE) to improve sample balance. We also propose a recurrent convolutional neural network with spatial pyramid pooling (RCNN-SPP) to extract discriminative and distinctive class features. The recurrent convolutional neural network combines a convolutional neural network (CNN) and a bi-directional long short-term memory network (Bi-LSTM) to extract both the semantic and contextual information from domain names. We then employ the spatial pyramid pooling strategy to refine the contextual representation by capturing multi-scale contextual information from domain names. The experimental results from different domain name datasets demonstrate that our model can achieve 92.36% accuracy, an 89.55% recall rate, a 90.46% F1-score, and 95.39% AUC in identifying DGA and legitimate domain names, and it can achieve 92.45% accuracy rate, a 90.12% recall rate, a 90.86% F1-score, and 96.59% AUC in multi-classification problems. It achieves significant improvement over existing models in terms of accuracy and robustness.

show abstract

“…When a CNN was applied to text classi cation [18,19,57] and showed success over an LSTM on some tasks [54,58], it was eventually applied to malicious URL analysis [38]. Other approaches to this problem include a Generative Adversarial Network (GAN), showing that the arms race for DGA detection could advance on its own [7].…”

Section: Related Workmentioning

confidence: 99%

“…Woodbridge et al [50] were the rst to present a long short-term memory (LSTM) network for DGA classi cation. Other architectures were later applied, such as further variations on an LSTM [4,28,46,48,55], a convolutional neural network (CNN) [38,58], and a hybrid CNN-LSTM model [56]. Although successful for random-character DGA domains, these classi ers have largely been ine ective in identifying dictionary DGA domains.…”

Section: Introductionmentioning

confidence: 99%

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

Highnam¹,

Puzio²,

Luo³

et al. 2020

Preprint

View full text Add to dashboard Cite

Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the bagging model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the rst parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F 1 score, and accuracy when generalising across di erent dictionary DGA classi cation tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large enterprise 1 . In four hours of actual network tra c, the model discovered at least ve potential command-andcontrol networks that commercial vendor tools did not ag.

show abstract

CNN-based DGA Detection with High Coverage

Cited by 18 publications

References 15 publications

MaskDGA: An Evasion Attack Against DGA Classifiers and Adversarial Defenses

MaskDGA: An Evasion Attack Against DGA Classifiers and Adversarial Defenses

Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

Contact Info

Product

Resources

About