Analyzing the real-world applicability of DGA classifiers

Drichel, Arthur; Meyer, Ulrike; Schüppen, Samuel; Teubert, Dominik

doi:10.1145/3407023.3407030

Cited by 19 publications

(27 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In detail, the RNN-based approach uses one unidirectional long short-term memory (LSTM) layer for the domain name and one bidirectional LSTM layer to process the features. Before a domain name is fed into the model, we convert every included character to a unique integer and pad the result with zeros from the left side to the maximal domain length of 253 characters [26] as proposed in [13]. This ensures that the model is able to process domain names at any length while using batch learning.…”

Section: Deep Learning Based Classifiersmentioning

confidence: 99%

Finding Phish in a Haystack: A Pipeline for Phishing Classification on Certificate Transparency Logs

Drichel¹,

Drury²,

Brandt³

et al. 2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

Current popular phishing prevention techniques mainly utilize reactive blocklists, which leave a "window of opportunity" for attackers during which victims are unprotected. One possible approach to shorten this window aims to detect phishing attacks earlier, during website preparation, by monitoring Certificate Transparency (CT) logs. Previous attempts to work with CT log data for phishing classification exist, however they lack evaluations on actual CT log data. In this paper, we present a pipeline that facilitates such evaluations by addressing a number of problems when working with CT log data. The pipeline includes dataset creation, training, and past or live classification of CT logs. Its modular structure makes it possible to easily exchange classifiers or verification sources to support ground truth labeling efforts and classifier comparisons. We test the pipeline on a number of new and existing classifiers, and find a general potential to improve classifiers for this scenario in the future. We publish the source code of the pipeline and the used datasets along with this paper [12], thus making future research in this direction more accessible. CCS CONCEPTS• Security and privacy → Intrusion detection systems; • Computing methodologies → Machine learning.

show abstract

Section: Deep Learning Based Classifiersmentioning

confidence: 99%

Finding Phish in a Haystack: A Pipeline for Phishing Classification on Certificate Transparency Logs

Drichel¹,

Drury²,

Brandt³

et al. 2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…A variety of different DGA detection techniques have been proposed in the past, which can broadly be divided into context-less [2]- [6] and context-aware approaches [7]- [12]. Context-less approaches only use information that can be extracted from a single domain name to determine whether a domain name is benign or malicious while context-aware approaches use additional contextual information to improve classification performance.…”

Section: A Dga Detectionmentioning

confidence: 99%

“…Context-less approaches only use information that can be extracted from a single domain name to determine whether a domain name is benign or malicious while context-aware approaches use additional contextual information to improve classification performance. Previous studies suggest that context-less approaches achieve state-of-the-art detection performance while being less resource intensive and less privacy invasive than context-aware approaches [2]- [4] [6] .…”

Section: A Dga Detectionmentioning

confidence: 99%

“…The context-less approaches can further be divided into feature-based classifiers such as random forests or support vector machines (e.g., [2]), and feature-less classifiers such as recurrent, convolutional, or residual neural networks [3][4] [6]. The former group uses domain knowledge to extract handcrafted features from a single domain name prior to classification.…”

Section: A Dga Detectionmentioning

confidence: 99%

“…(5) We assume feature sets are shared in the clear, hence no interaction with the target is required. (6) We allow the adversary to be in possession of an arbitrary large data set S ′′ ⊂ S of benign NXDs that does not intersect with the target's data, i.e., S ′′ ∩ S ′ = ∅. (7) We do not restrict the adversary's computational power that he may apply to his own data.…”

Section: A Attack Modelmentioning

confidence: 99%

See 2 more Smart Citations

Sharing FANCI Features: A Privacy Analysis of Feature Extraction for DGA Detection

Holmes,

Drichel,

Meyer

2021

Preprint

Self Cite

View full text Add to dashboard Cite

The goal of Domain Generation Algorithm (DGA) detection is to recognize infections with bot malware and is often done with help of Machine Learning approaches that classify non-resolving Domain Name System (DNS) traffic and are trained on possibly sensitive data. In parallel, the rise of privacy research in the Machine Learning world leads to privacy-preserving measures that are tightly coupled with a deep learning model's architecture or training routine, while non deep learning approaches are commonly better suited for the application of privacy-enhancing methods outside the actual classification module. In this work, we aim to measure the privacy capability of the feature extractor of feature-based DGA detector FANCI (Feature-based Automated Nxdomain Classification and Intelligence). Our goal is to assess whether a data-rich adversary can learn an inverse mapping of FANCI's feature extractor and thereby reconstruct domain names from feature vectors. Attack success would pose a privacy threat to sharing FANCI's feature representation, while the opposite would enable this representation to be shared without privacy concerns. Using three real-world data sets, we train a recurrent Machine Learning model on the reconstruction task. Our approaches result in poor reconstruction performance and we attempt to back our findings with a mathematical review of the feature extraction process. We thus reckon that sharing FANCI's feature representation does not constitute a considerable privacy leakage.

show abstract

Detecting DGA-based botnets through effective phonics-based features

Zhao

Tang

2023

Future Generation Computer Systems

View full text Add to dashboard Cite

Analyzing the real-world applicability of DGA classifiers

Cited by 19 publications

References 41 publications

Finding Phish in a Haystack: A Pipeline for Phishing Classification on Certificate Transparency Logs

Finding Phish in a Haystack: A Pipeline for Phishing Classification on Certificate Transparency Logs

Sharing FANCI Features: A Privacy Analysis of Feature Extraction for DGA Detection

Detecting DGA-based botnets through effective phonics-based features

Contact Info

Product

Resources

About