Detecting DGA malware using NetFlow

Grill, Martin; Nikolaev, Ivan; Valeros, Veronica; Řehák, Martin

doi:10.1109/inm.2015.7140486

Cited by 58 publications

(29 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In [13], a detection model on normal DNS domain names for recognizing abnormal domain names was established, it uses natural language processing (NLP) to analyze the character features. In [14], the method based on network flow information over DNS traffic rather than domain names was proposed, but it is limited by the difficulty of collecting the flow information in large-scale networks. In [15], offline analysis to detect DGA botnets through whitelist filtering and clustering was given.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis

et al. 2019

View full text Add to dashboard Cite

In highly sophisticated network attacks, command-and-control (C&C) servers always use domain generation algorithms (DGAs) to dynamically produce several candidate domains instead of static hard-coded lists of IP addresses or domain names. Distinguishing the domains generated by DGAs from the legitimate ones is critical for finding out the existence of malware or further locating the hidden attackers. The word-based DGAs disclosed in recent network attack events have shown significantly stronger stealthiness when compared with traditional character-based DGAs. In word-based DGAs, two or more words are randomly chosen from one or more specific dictionaries to form a dynamic domain, these regularly generated domains aim to mimic the characteristics of a legitimate domain. Existing DGA detection schemes, including the state-of-the-art one based on deep learning, still cannot find out these domains accurately while maintaining an acceptable false alarm rate. In this study, we exploit the inter-word and inter-domain correlations using semantic analysis approaches, word embedding and the part-of-speech are taken into consideration. Next, we propose a detection framework for word-based DGAs by incorporating the frequency distribution of the words and that of part-of-speech into the design of the feature set. Using an ensemble classifier constructed from Naive Bayes, Extra-Trees, and Logistic Regression, we benchmark the proposed scheme with malicious and legitimate domain samples extracted from public datasets. The experimental results show that the proposed scheme can achieve significantly higher detection accuracy for word-based DGAs when compared with three state-of-the-art DGA detection schemes.

show abstract

Section: Related Workmentioning

confidence: 99%

“…In actual fact, the methods in [12][13][14][15][16] are all limited by the status of the network environment and data integrity. In real networks, especially in large-scale networks, these traffic features are very difficult to collect.…”

Section: Related Workmentioning

confidence: 99%

Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis

et al. 2019

View full text Add to dashboard Cite

show abstract

“…Anomaly values are acquired with a fuzzy function. Finally, as the proposed method is susceptible to raising a false positive for DNS resolver service, data from the service detection step is used to tackle this problem [7]. Q.…”

Section: Related Workmentioning

confidence: 99%

Cost-Sensitive Distributed Machine Learning for NetFlow-Based Botnet Activity Detection

Kozik

Pawlicki

Choraś

2018

Security and Communication Networks

View full text Add to dashboard Cite

The recent advancements of malevolent techniques have caused a situation where the traditional signature-based approach to cyberattack detection is rendered ineffective. Currently, new, improved, potent solutions incorporating Big Data technologies, effective distributed machine learning, and algorithms countering data imbalance problem are needed. Therefore, the major contribution of this paper is the proposal of the cost-sensitive distributed machine learning approach for cybersecurity. In particular, we proposed to use and implemented cost-sensitive distributed machine learning by means of distributed Extreme Learning Machines (ELM), distributed Random Forest, and Distributed Random Boosted-Trees to detect botnets. The system's concept and architecture are based on the Big Data processing framework with data mining and machine learning techniques. In practical terms in this paper, as a use case, we consider the problem of botnet detection by means of analysing the data in form of NetFlows. The reported results are promising and show that the proposed system can be considered as a useful tool for the improvement of cybersecurity.

show abstract

“…The anomaly detection engine identifies anomalous traffic using ensemble of anomaly detection algorithms, some of them based on Principal component analysis [22][23][24], some detects abrupt changes detection [8], and some even uses fixed rules [25]. Furthermore, there are detectors designed to detect specific type of unwanted behavior like network scans [26] or malware with domain generating algorithm [27]. In total the NetFlow anomaly detection engine uses 16 anomaly detectors.…”

Section: Netflow Anomaly Detectionmentioning

confidence: 99%