Detecting DGA domains with recurrent neural networks and side information

Curtin, Ryan R.; Gardner, Alex; Grzonkowski, Slawomir; Kleymenov, Alexey; Mosquera, Alejandro

doi:10.1145/3339252.3339258

Cited by 44 publications

(28 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the case of [31], the authors are able to characterize and classify similar DGA-generated domains, generating knowledge about the evolving behaviour of botnets. More recently, Curtin et al developed the smashword score [32], a new metric that uses n-gram overlapping combined with information provided from WHOIS lookups to determine whether a DGA has generated a domain name or not. For a detailed overview and classification of methods of how malicious domains can be detected, the interested reader may refer to [33].…”

Section: Related Workmentioning

confidence: 99%

Encrypted and covert DNS queries for botnets: Challenges and countermeasures

Patsakis

Casino

Katos

2020

Computers & Security

View full text Add to dashboard Cite

There is a continuous increase in the sophistication that modern malware exercise in order to bypass the deployed security mechanisms. A typical approach to evade the identification and potential take down of a botnet command and control server is domain fluxing through the use of Domain Generation Algorithms (DGAs). These algorithms produce a vast amount of domain names that the infected device tries to communicate with to find the C&C server, yet only a small fragment of them is actually registered. This allows the botmaster to pivot the control and make the work of seizing the botnet control rather difficult.Current state of the art and practice considers that the DNS queries performed by a compromised device are transparent to the network administrator and therefore can be monitored, analysed, and blocked. In this work, we showcase that the latter is a strong assumption as malware could efficiently hide its DNS queries using covert and/or encrypted channels bypassing the detection mechanisms. To this end, we discuss possible mitigation measures based on traffic analysis to address the new challenges that arise from this approach.

show abstract

Section: Related Workmentioning

confidence: 99%

Encrypted and covert DNS queries for botnets: Challenges and countermeasures

Patsakis

Casino

Katos

2020

Computers & Security

View full text Add to dashboard Cite

show abstract

“…According to the authors, the model could detect 97.3% of malware-generated domain names with a low false positive rate. Curtin et al [55] also took a similar approach using the generalized likelihood ratio test (GLRT) and achieved promising results.…”

Section: Identifying Domain Names Generated By Dgasmentioning

confidence: 99%

Artificial Intelligence in the Cyber Domain: Offense and Defense

2020

View full text Add to dashboard Cite

Artificial intelligence techniques have grown rapidly in recent years, and their applications in practice can be seen in many fields, ranging from facial recognition to image analysis. In the cybersecurity domain, AI-based techniques can provide better cyber defense tools and help adversaries improve methods of attack. However, malicious actors are aware of the new prospects too and will probably attempt to use them for nefarious purposes. This survey paper aims at providing an overview of how artificial intelligence can be used in the context of cybersecurity in both offense and defense.

show abstract

“…The results show that DL models perform well when compared to ML models and LSTM achieves the highest detection accuracy. In [568], a RNN based robust DGA detection system which takes advantage of additional WHOIS information if available to enhance the performance of the system and to classify much more difficult DGA families. A novel measure called smashword score is also proposed which ranks DGAs based on how close the domains resemble English words.…”

Section: A Deep Learning In Intrusion Detectionmentioning

confidence: 99%