A Detection Scheme for DGA Domain Names Based on SVM

Wang, Zhen; Jia, Zhongtian; Zhang, Bo

doi:10.2991/mmsa-18.2018.58

Cited by 7 publications

(5 citation statements)

References 11 publications

(12 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Content may change prior to final publication. [14], [20], [27], [29] sld_len Second level domain length [13], [14], [20] tld_len Top level domain length [13], [14], [20] uni_domain Domain Unique Characters length [13], [14], [20] uni_sld SLD Unique Characters length [13], [14], [20] uni_tld TLD Unique Characters length [13], [14], [20] flag_dga Has malicious TLD [13], [14], [20], [27] tld_hash TLD Hash [6], [13], [14], [20] flag_dig Starts with Digit [6], [13], [14], [20] sym Symbol ratio [6], [13], [14], [20] hex Hex ratio [6], [13], [14], [20] dig Digit Ratio [4], [11]- [14], [17], [20], [29] vow Vowel Ratio [4], [6]...…”

Section: Lexical Featuresmentioning

confidence: 99%

“…The RData in a DNS response encompasses a list of resolved IP addresses, the time-to-live value of the query and the type of resource record. [8], [5], [4], [15], [26] [27], [6], [14], [13], [28] Side information features [29], [30], [16], [31], [32] our work Domain name string + [18], [33], [3], [34], [35] our work side information features [17], [10], [11], [12] TABLE I Overview of existing work on DGA detection ture would be "multi-valued". Alternatively, if the location could not be identified, then this feature takes the value "unknown".…”

Section: Side Informationmentioning

confidence: 99%

“…The value of the feature domain len for the domain name "google.com" is 10. [20], [14], [6], [13], [4], [26], [28], [11], [12] sld len Second level domain length [20], [14], [13] tld len Top level domain length [20], [14], [13] uni domain Domain Unique Characters length [20], [14], [13] uni sld SLD Unique Characters length [20], [14], [13] uni tld TLD Unique Characters length [20], [14], [13] flag dga Has malicious TLD [20], [14], [13], [26] tld hash TLD Hash [20], [14], [13], [6] flag dig…”

Section: Lexical Featuresmentioning

confidence: 99%

“…[20], [14], [13], [6] sym Symbol ratio [20], [14], [13], [6] hex Hex ratio [20], [14], [13], [6] dig Digit Ratio [20], [14], [13], [4], [28], [17], [11], [12] vow Vowel Ratio [20], [14], [13], [6], [4], [28] con Consonant Ratio [20], [14], [13] rep char ratio Ratio of Repeated Characters [20], [14], [4] cons con ratio Ratio of Consecutive Consonants [20], [14], [4], [28] cons dig ratio Ratio of Consecutive Digits [20], [14], [4] tokens sld Number of tokens in SLD [20], [14], [13], [26] digits sld Number of digits in SLD [20], [14], [13], [26] ent Entropy of characters in SLD [20], [14], …”

Section: Starts With Digitmentioning

confidence: 99%

See 3 more Smart Citations

Inline Detection of DGA Domains Using Side Information

Sivaguru

Peck

Olumofin³

et al. 2020

IEEE Access

View full text Add to dashboard Cite

Malware applications typically use a command and control (C&C) server to manage bots to perform malicious activities. Domain Generation Algorithms (DGAs) are popular methods for generating pseudo-random domain names that can be used to establish a communication between an infected bot and the C&C server. In recent years, machine learning based systems have been widely used to detect DGAs. There are several well known state-of-the-art classifiers in the literature that can detect DGA domain names in real-time applications with high predictive performance. However, these DGA classifiers are highly vulnerable to adversarial attacks in which adversaries purposely craft domain names to evade DGA detection classifiers. In our work, we focus on hardening DGA classifiers against adversarial attacks. To this end, we train and evaluate stateof-the-art deep learning and random forest (RF) classifiers for DGA detection using side information that is harder for adversaries to manipulate than the domain name itself. Additionally, the side information features are selected such that they are easily obtainable in practice to perform inline DGA detection. The performance and robustness of these models is assessed by exposing them to one day of real-traffic data as well as domains generated by adversarial attack algorithms. We found that the DGA classifiers that rely on both the domain name and side information have high performance and are more robust against adversaries.

show abstract

Section: Lexical Featuresmentioning

confidence: 99%

Section: Side Informationmentioning

confidence: 99%

Section: Lexical Featuresmentioning

confidence: 99%

Section: Starts With Digitmentioning

confidence: 99%

See 2 more Smart Citations

Inline Detection of DGA Domains Using Side Information

Sivaguru

Peck

Olumofin³

et al. 2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…In order to detect DGA domains, Yadav et al [4] proposed a technique based on the significant difference between traditional DGA domains and human generated domains in terms of the distribution of alphanumeric characters. In addition, Antonakakis et al [1], Schüppen et al [5] and Wang et al [6] proposed machine-learning based DGA detectors using human-engineered lexical features of DGA domain names, while Tong et al [7], Lison et al [8] and Tran et al [9] came up with some methods using deep learning algorithms such as CNN, LSTM, and BiLSTM. However, attackers have designed a more resilient class of mAGDs produced by randomly selecting and concatenating words from a dictionary in order to imitate legitimate domain names created by a human.…”

Section: A Dga and Dga Detectionmentioning

confidence: 99%

Domain-Embeddings Based DGA Detection with Incremental Training Method

Fang

Sun

Yang

et al. 2020

2020 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

show abstract