Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing

Krishnan, Srinivas; Taylor, Teryl; Monrose, Fabian; McHugh, John

doi:10.1109/dsn.2013.6575364

Cited by 21 publications

(15 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Antonakakis et al [16] proposed Pleiades, which clusters non-existent domains based on character distributions within the domain names and on the querying hosts, using the strategy on DNS traffic from large ISPs to discover six DGAs that were unknown at that time. Krishnan et al [53] detected hosts in a botnet by analyzing patterns in DNS queries for non-existent AGDs through sequential hypothesis testing. Mowbray et al [64] detected hosts that query domains with an unusual length distribution, deriving 19 DGAs of which nine were previously unknown.…”

Section: Related Workmentioning

confidence: 99%

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

Pochat¹,

hamme²,

Maroofi³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

Pochat¹,

hamme²,

Maroofi³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…Since DGAs o en generate hundreds of domains per day and at most only a few of those domains are actually registered by the a acker, large numbers of these requests result in NXDomains. Many NX-Domain responses from the same computer are unlikely to result from expected user behaviour, and thus this pa ern of DNS tra c can be associated with DGA activity [8,22,52].…”

Section: Domain Generation Algorithms (Dgas)mentioning

confidence: 99%

“…Future techniques included more contextual information which improved the longevity of detection systems. Clustering [51,52,59], Hidden Markov Models (HMMs) [8], random forests models [40,47,53], and sequential hypothesis testing [22] used data such as WHOIS or NXDomain responses with the domain to identify DGAs. However, a number of these techniques require batches of live data to maintain relevancy or high volumes of data which are not typically feasible in real-time environments.…”

Section: Related Workmentioning

confidence: 99%

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

Highnam¹,

Puzio²,

Luo³

et al. 2020

Preprint

View full text Add to dashboard Cite

Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the bagging model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the rst parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F 1 score, and accuracy when generalising across di erent dictionary DGA classi cation tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large enterprise 1 . In four hours of actual network tra c, the model discovered at least ve potential command-andcontrol networks that commercial vendor tools did not ag.

show abstract

“…Using a multi-month evaluation phase, they showed that the system could achieve very high detection accuracy. In 2013, Krishnan et al [12] proposed a method for detecting attack activity using Sequential Hypothesis Testing. They believed that hosts that have been infected by malware will exhibit a domain name scanning behavior.…”

Section: Related Workmentioning

confidence: 99%

DGA Domain Name Classification Method Based on Long Short-Term Memory with Attention Mechanism

et al. 2019

View full text Add to dashboard Cite

Currently, many cyberattacks use the Domain Generation Algorithm (DGA) to generate random domain names, so as to maintain communication with the Communication and Control (C&C) server. Discovering DGA domain names in advance could help to detect attacks and response in time. However, in recent years, the General Data Protection Regulation (GDPR) has been promulgated and implemented, and the method of DGA classification based on the context information, such as the WHOIS (the information about the registered users or assignees of the domain name) , is no longer applicable. At the same time, acquiring the DGA algorithm by reversing malware samples encounters the problem of no malware samples for various reasons, such as fileless malware. We propose a DGA domain name classification method based on Long Short-Term Memory (LSTM) with attention mechanism. This method is oriented to the character sequence of the domain name, and it uses the LSTM combined with attention mechanism to construct the DGA domain name classifier to achieve the rapid classification of domain names. The experimental results show that the method has a good classification result.

show abstract

Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing

Cited by 21 publications

References 17 publications

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

DGA Domain Name Classification Method Based on Long Short-Term Memory with Attention Mechanism

Contact Info

Product

Resources

About