Inline DGA Detection with Deep Networks

Yu, Bin; Gray, Daniel L.; Pan, Jie; Cock, Martine De; Nascimento, Anderson C. A.

doi:10.1109/icdmw.2017.96

Cited by 94 publications

(74 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We also compare the proposed scheme with three state-of-the-art DGA detection schemes, including a feature-based scheme [10], a CNN-based detection scheme [11], a LSTM-based detection scheme [6]. The comparative experimental results are shown in Table 6.…”

Section: Comparative Experiments With the State-of-the-art Methodsmentioning

confidence: 99%

“…However, the detection performance on word-based DGA is still poor. Inspired by [6], a CNN-based DGA detection algorithm was proposed in [11], and the authors made a comparative analysis of the proposed scheme, LSTM-based method, and Random Forest methods. All the above schemes have achieved significantly better detection performance on character-based DGAs than the traditional schemes.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis

et al. 2019

View full text Add to dashboard Cite

In highly sophisticated network attacks, command-and-control (C&C) servers always use domain generation algorithms (DGAs) to dynamically produce several candidate domains instead of static hard-coded lists of IP addresses or domain names. Distinguishing the domains generated by DGAs from the legitimate ones is critical for finding out the existence of malware or further locating the hidden attackers. The word-based DGAs disclosed in recent network attack events have shown significantly stronger stealthiness when compared with traditional character-based DGAs. In word-based DGAs, two or more words are randomly chosen from one or more specific dictionaries to form a dynamic domain, these regularly generated domains aim to mimic the characteristics of a legitimate domain. Existing DGA detection schemes, including the state-of-the-art one based on deep learning, still cannot find out these domains accurately while maintaining an acceptable false alarm rate. In this study, we exploit the inter-word and inter-domain correlations using semantic analysis approaches, word embedding and the part-of-speech are taken into consideration. Next, we propose a detection framework for word-based DGAs by incorporating the frequency distribution of the words and that of part-of-speech into the design of the feature set. Using an ensemble classifier constructed from Naive Bayes, Extra-Trees, and Logistic Regression, we benchmark the proposed scheme with malicious and legitimate domain samples extracted from public datasets. The experimental results show that the proposed scheme can achieve significantly higher detection accuracy for word-based DGAs when compared with three state-of-the-art DGA detection schemes.

show abstract

Section: Comparative Experiments With the State-of-the-art Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis

et al. 2019

View full text Add to dashboard Cite

show abstract

“…Mac et al [110] also took a similar approach, but used embedding and an LSTM combined with an SVM and a bidirectional LSTM and achieved AUCs of 0.9969 and 0.9964, respectively, on similar datasets. Yu et al [111] performed the same experiment with CNN and an LSTM, with an embedding layer, to perform real-time DGA detection. These methods achieved AUCs of 0.9918 and 0.9896, respectively.…”

Section: Domain Generation Algorithms and Botnet Detectionmentioning

confidence: 99%

A Survey of Deep Learning Methods for Cyber Security

et al. 2019

View full text Add to dashboard Cite

This survey paper describes a literature review of deep learning (DL) methods for cyber security applications. A short tutorial-style description of each DL method is provided, including deep autoencoders, restricted Boltzmann machines, recurrent neural networks, generative adversarial networks, and several others. Then we discuss how each of the DL methods is used for security applications. We cover a broad array of attack types including malware, spam, insider threats, network intrusions, false data injection, and malicious domain names used by botnets.

show abstract

“…c) Qname: 1 million unique domain names originating from a real-time stream of passive DNS data that consists of roughly 10-12 billion DNS queries per day collected from subscribers including ISPs (Internet Service Providers), schools, and businesses. We annotated this stream based on a set of heuristic filtering rules following [7]. Specifically, we labeled as benign all domains that (1) have been resolved at least twice, (2) never resulted in an NXDomain response and (3) span more than 30 days.…”

Section: Data Setsmentioning

confidence: 99%

CharBot: A Simple and Effective Method for Evading DGA Classifiers

et al. 2019

Self Cite

View full text Add to dashboard Cite

Domain generation algorithms (DGAs) are commonly leveraged by malware to create lists of domain names which can be used for command and control (C&C) purposes. Approaches based on machine learning have recently been developed to automatically detect generated domain names in real-time. In this work, we present a novel DGA called CharBot which is capable of producing large numbers of unregistered domain names that are not detected by state-of-the-art classifiers for real-time detection of DGAs, including the recently published methods FANCI (a random forest based on human-engineered features) and LSTM.MI (a deep learning approach). CharBot is very simple, effective and requires no knowledge of the targeted DGA classifiers. We show that retraining the classifiers on CharBot samples is not a viable defense strategy. We believe these findings show that DGA classifiers are inherently vulnerable to adversarial attacks if they rely only on the domain name string to make a decision. Designing a robust DGA classifier may, therefore, necessitate the use of additional information besides the domain name alone. To the best of our knowledge, CharBot is the simplest and most efficient black-box adversarial attack against DGA classifiers proposed to date.

show abstract

Inline DGA Detection with Deep Networks

Cited by 94 publications

References 6 publications

Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis

Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis

A Survey of Deep Learning Methods for Cyber Security

CharBot: A Simple and Effective Method for Evading DGA Classifiers

Contact Info

Product

Resources

About