An approach for detecting malicious domain names generated by dictionary-based DGA

Abstract

Abstract: A large number of botnets began to use dictionary-based domain generation algorithm（DGA） for command and control, making computer networks face more serious threats. Aiming at the problem that the malicious domain names generated by dictionary-based DGA has feature similar to the normal domain name, which make traditional detection method based on domain name character statistics and 2-gram model gradually invalid, a method to identify the dictionary-based malicious domain name based on the relationship between words that constitute the domain name string is proposed. Experimental results show that the Accuracy of the proposed method is 3.45% higher than that of the method based on domain character statistics and 2.84% higher than that of the 2-gram model for dictionary-based DGA family.

Key words: botnet, dictionary-based Domain Generation Algorithm, domain generation algorithm, relationship between words, network security

摘要： 大量僵尸网络开始采用字典型域名生成算法（Domain Generation Algorithm，DGA）进行命令与控制（C&C）, 使得计算机网络面临愈加严重的威胁。针对字典型域名生成算法所生成的恶意域名具有与正常域名相似的字符特征，传统的基于域名字符统计特征与2-gram模型的检测方法逐渐失效的问题，提出一种基于构成域名字符串的单词的词间关系来识别字典型恶意域名的方法。实验结果表明，对于字典型恶意域名家族，该方法的F1 score值比基于域名字符统计特征的方法提升了3.45%，比2-gram模型提升了2.84%。

关键词: 僵尸网络, 字典型域名生成算法, 域名生成算法, 词间关系, 网络安全

席一帆, 汪洋, 张钰, . 基于域名词间关系的字典型恶意域名检测方法[J]. 信息安全研究, 2022, 8(2): 129-.

References

[1] LI C, JIANG W, ZOU X. Botnet: Survey and case study[C]// Proc of 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).Piscataway, NJ:IEEE,2009

[2] 崔丽娟. 僵尸网络综述 [J]. 信息安全研究, 2017, 3(7): 589-600.

[3] DAGON D. Botnet detection and response[C]// Proc of OARC workshop. Santa Clara: Cisco Systems,2005

[4] GEER D. Malicious bots threaten network security [J]. Computer, 2005, 38(1): 18-20.

[5] 方滨兴, 崔翔, 王威. 僵尸网络综述 [J]. 计算机研究与发展, 2011, 48(8): 1315.

[6] SOOD A K, ZEADALLY S. A taxonomy of domain-generation algorithms [J]. IEEE Security & Privacy, 2016, 14(4): 46-53.

[7] MCCARTY B. Botnets: Big and bigger [J]. IEEE Security & Privacy, 2003, 1(4): 87-90.

[8] ANTONAKAKIS M, PERDISCI R, NADJI Y, et al. From throw-away traffic to bots: detecting the rise of DGA-based malware[C]// Proc of 21st USE-NIX Security Symposium.Berkeley，

CA:USENIX,2012

[9] SCHIAVONI S, MAGGI F, CAVALLARO L, et al. Phoenix: DGA-based

botnet tracking and intelligence[C]//

Proc of International Conference on

Detection of Intrusions and Malware, and Vulnerability Assessment.Berlin，

German:Springer,2014

[10] WANG T-S, LIN H-T, CHENG W-T, et al. DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis [J]. Computers Security, 2017, 64: 1-15.

[11] BOSHMAF Y, MUSLUKHOV I, BE-ZNOSOV K, et al. Design and analy-sis of a social botnet [J]. Computer Networks, 2013, 57(2): 556-78.

[12] PLOHMANN D, YAKDAN K, KLATT M, et al. A comprehensive measurement study of domain generating malware[C]// Proc of 25th {USENIX} Security Symposium ({USENIX} Security 16).

[13] TRUONG D T, CHENG G. Detecting domain‐flux botnet based on DNS traffic features in managed network [J]. Security Communication Networks, 2016, 9(14): 2338-47.

[14] ANDERSON H S, WOODBRIDGE J, FILAR B. DeepDGA: Adversariallyt-uned domain generation and detection[C]// Proc of 2016 ACM Workshop on Artificial Intelligence and Security.New York:ACM,2016

[15] 王媛媛, 吴春江, 刘启和. 恶意域名检测研究与应用综述 [J]. 计算机应用与软件, 2019, 36(09): 310-6.

[16] YADAV S, REDDY A K K, REDD-YA N, et al. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis [J]. IEEE/Acm Transactions on Networking, 2012, 20(5): 1663-77.

[17] PEREIRA M, COLEMAN S, YU B, et al. Dictionary extraction and detect-ion of algorithmically generated doma-in names in passive DNS traffic[C] //

Proc of International Symposium on

Research in Attacks, Intrusions, and

Defenses. Berlin,German:Springer,2018

[18] Highnam, Kate，Puzio Domenic，Luo Song et al. Real-time detection of dictionary dga network traffic using deep learning[J]. SN Computer Science，2021，2(2)：1-17.

[19] CHOWDHURY S, KHANZADEH M, AKULA R, et al. Botnet detection using graph-based feature clustering [J]. Journal of Big Data, 2017, 4(1): 1-23.

[20] YU B, GRAY D L, PAN J, et al. Inline DGA detection with deep networks[C]// Proc of 2017 IEEE International Conference on Data Mining Workshops (ICDMW).Piscataway, NJ:IEEE.2017

[21] ANDERSON D.Wordninja[CP].2021.

https://github.com/keredson/wordninja

[22] DANIEL P. DGArchive-Fraunhofer F-KIE [DB].2021