Estimating the Randomness of Domain Names for DGA Bot Callbacks

Satoh, Akihiro; Nakamura, Yutaka; Nobayashi, Daiki; Ikenaga, Takeshi

doi:10.1109/lcomm.2018.2828800

Cited by 7 publications

(4 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This framework leverages the behaviors of DNS queries for detecting infected machines because C&C domains have different characteristics when compared with other domains. Besides the above work, various methods based on query behaviors have been proposed for detecting the certain types of threats, such as botnets [20], advanced persistent threat attacks [21], and water torture attacks [22].…”

Section: Related Workmentioning

confidence: 99%

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

et al. 2019

Self Cite

View full text Add to dashboard Cite

Some of the most serious security threats facing computer networks involve malware. To prevent this threat, administrators need to swiftly remove the infected machines from their networks. One common way to detect infected machines in a network is by monitoring communications based on blacklists. However, detection using this method has the following two problems: no blacklist is completely reliable, and blacklists do not provide sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. Therefore, simply matching communications with blacklist entries is insufficient, and administrators should pursue their detection causes by investigating the communications themselves. In this paper, we propose an approach for classifying malicious DNS queries detected through blacklists by their causes. This approach is motivated by the following observation: a malware communication is divided into several transactions, each of which generates queries related to the malware; thus, surrounding queries that occur before and after a malicious query detected through blacklists help in estimating the cause of the malicious query. Our cause-based classification drastically reduces the number of malicious queries to be investigated because the investigation scope is limited to only representative queries in the classification results. In experiments, we have confirmed that our approach could group 388 malicious queries into 3 clusters, each consisting of queries with a common cause. These results indicate that administrators can briefly pursue all the causes by investigating only representative queries of each cluster, and thereby swiftly address the problem of infected machines in the network.

show abstract

Section: Related Workmentioning

confidence: 99%

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

et al. 2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…This proposed approach was initially introduced in our previous work [40]. In this paper, we considerably extend the previous study by further enhancing the sophistication of each function, evaluating the approach from various perspectives through experiments, extensively discussing the experimental results, and comparing our approach with several published methods.…”

Section: Proposalmentioning

confidence: 83%

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Satoh

Fukuda

Hayashi

et al. 2020

IEEE Open J. Commun. Soc.

Self Cite

View full text Add to dashboard Cite

Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this paper, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers.

show abstract

“…The domain name that returns the correct response is considered as the C&C. However, since the lifetimes of domain names generated for such callbacks are extremely short, it is difficult for conventional security appliances that monitor communications with known malicious domains to detect callbacks caused by DGA malware. Some previous studies [3][4][5] have focused on identifying discernible differences in the character strings of benign and malicious domain names for detecting the callbacks of DGA malware. For example, Truong et al [4] proposed a method that learns and predicts the character patterns in domain names using bigram models with supervised learning algorithms, and Anderson et al [5] extended this method to include characterlevel modeling with long short-term memory (LSTM) networks.…”

Section: Introductionmentioning

confidence: 99%

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

et al. 2021

Self Cite

View full text Add to dashboard Cite

Computer networks are facing serious threats from the emergence of malware with sophisticated DGAs (Domain Generation Algorithms). This type of DGA malware dynamically generates domain names by concatenating words from dictionaries for evading detection. In this paper, we propose an approach for identifying the callback communications of such dictionary-based DGA malware by analyzing their domain names at the word level. This approach is based on the following observations: These malware families use their own dictionaries and algorithms to generate domain names, and accordingly, the word usages of malware-generated domains are distinctly different from those of human-generated domains. Our evaluation indicates that the proposed approach is capable of achieving accuracy, recall, and precision as high as 0.9989, 0.9977, and 0.9869, respectively, when used with labeled datasets. We also clarify the functional differences between our approach and other published methods via qualitative comparisons. Taken together, these results suggest that malware-infected machines can be identified and removed from networks using DNS queries for detected malicious domain names as triggers. Our approach contributes to dramatically improving network security by providing a technique to address various types of malware encroachment.

show abstract

Estimating the Randomness of Domain Names for DGA Bot Callbacks

Cited by 7 publications

References 9 publications

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware

Contact Info

Product

Resources

About