Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Qianying Shen,Futai Zou

DOI: https://doi.org/10.1007/978-3-030-63086-7_3

2020-01-01

Abstract:Domain generation algorithms (DGA) are widely used by malware families to realize remote control. Researchers have tried to adopt deep learning methods to detect algorithmically generated domains (AGD) automatically based on only domain strings alone. Usually, such methods analyze the structure and semantic features of domain strings since simple AGDs show great difference in these two aspects. Among various types of AGDs, dictionary-based AGDs are unique for its semantic similarity to normal domains, which makes such detections based on only domain strings difficult. In this paper, we observe that the relationship between domains generated based on a same dictionary shows graphical features. We focus on the detection of dictionary-based AGDs and proposes Word-Map which is based on community detection algorithm to detect dictionary-based AGDs. Word-Map achieved an accuracy above 98.5% and recall rate above 99.0% on testing sets.

You Zhai,Hao Dong,Zhoujun Li,Liqun Yang,Longtao He

DOI: https://doi.org/10.1109/dsc55868.2022.00064

2022-01-01

Abstract:Botnets are starting to use domain generation algorithms (DGAs) extensively to enhance the stealth of command and control (C&C) communications between C&C servers and bots. Domains generated by DGAs are called algorithmically generated domains (AGDs), which also known as malicious domains. Detection of AGDs is a crucial element for fighting botnets and security researchers have proposed a variety of DGA detection methods. In order to avoid the detection of DGA detectors, various types of DGAs are continuously updated. Among them, the dictionary-based malicious domain, with strong camouflage, is the most advanced DGA representative and the previous detection methods are very ineffective on this type of malicious domain. To solve this problem, we explore the dictionary-based malicious domain generation algorithm, and propose, AGDB, a dictionary-based malicious domain detection method based on representation fusion, which combines features extracted from the context-based malicious domain detection model with features extracted from the graph-based malicious domain detection model. The experimental results show that the detection method based on representation fusion significantly outperforms the existing methods in terms of precision and recall.

Mingjiang Duan,Tongya Zheng,Yang Gao,Gang Wang,Zunlei Feng,Xinyu Wang

DOI: https://doi.org/10.1609/aaai.v38i10.29067

2024-01-01

Abstract:Fraud detection has increasingly become a prominent research field due to the dramatically increased incidents of fraud. The complex connections involving thousands, or even millions of nodes, present challenges for fraud detection tasks. Many researchers have developed various graph-based methods to detect fraud from these intricate graphs. However, those methods neglect two distinct characteristics of the fraud graph: the non-additivity of certain attributes and the distinguishability of grouped messages from neighbor nodes. This paper introduces the Dynamic Grouping Aggregation Graph Neural Network (DGA-GNN) for fraud detection, which addresses these two characteristics by dynamically grouping attribute value ranges and neighbor nodes. In DGA-GNN, we initially propose the decision tree binning encoding to transform non-additive node attributes into bin vectors. This approach aligns well with the GNN’s aggregation operation and avoids nonsensical feature generation. Furthermore, we devise a feedback dynamic grouping strategy to classify graph nodes into two distinct groups and then employ a hierarchical aggregation. This method extracts more discriminative features for fraud detection tasks. Extensive experiments on five datasets suggest that our proposed method achieves a 3% ~ 16% improvement over existing SOTA methods. Code is available at https://github.com/AtwoodDuan/DGA-GNN.

Futai Zou,Qianying Shen,Yuzong Hu

DOI: https://doi.org/10.1007/978-3-030-91356-4_21

2021-01-01

Abstract:Domain generation algorithms (DGA) are widely used by malware families to realize remote control. Researchers have tried to adopt deep learning methods to detect algorithmically generated domains (AGD) automatically. Some detection methods based on only domain strings alone are proposed. Usually, such methods analyze the structure and semantic features of domain strings. Among various types of AGDs, dictionary-based AGDs are unique for their semantic similarity to normal domains, which makes such detection based on only domain strings difficult. In this paper, we observe that the relationship between domains generated based on a same dictionary shows graphical features. We focus on the detection of dictionary-based AGDs and propose Word-Map which is based on community detection algorithm to detect dictionary-based AGDs. Word-map achieved great accuracy, recall rate, false positive rate, and missing rate on testing sets.

Kate Highnam,Domenic Puzio,Song Luo,Nicholas R. Jennings

DOI: https://doi.org/10.48550/arXiv.2003.12805

2020-03-28

Abstract:Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the `bagging` model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large financial enterprise. In four hours of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.

Cryptography and Security,Machine Learning

Zhicheng Liu,Xiaochun Yun,Yongzheng Zhang,Yipeng Wang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00027

2019-01-01

Abstract:Botnet is a part of the most destructive threats to network security and is often used in malicious activities. DGA-based botnet, which uses Domain Generation Algorithm (DGA) to evade detection, has become the main channel to carry out online crimes. In the past, many detection mechanisms focusing on domain features are proposed, but the potential problem is that the features extracting only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic. The analysis of group behaviors enhances the robustness of our system irrespective of various evasion techniques, such as fake-querying, packet encryption and noise generated by normal users. The proposed scheme associates hosts together in an unsupervised way and then uses supervised learning to distinguish whether it's a botnet. Our system is evaluated in a large ISP over two days and compared with the state of art FANCI. Experimental results show that CCGA can accurately and effectively detect DGA-based botnet in a real-world network. Our system also catches 5 unknown botnet groups and provides a novel method to verify them. Therefore, the system will provide an unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Xiaoyan Hu,Miao Li,Guang Cheng,Ruidong Li,Hua Wu,Jian Gong

DOI: https://doi.org/10.1109/icc45855.2022.9838409

2022-01-01

Abstract:Domain Generation Algorithms (DGAs) are widely applied in diversified malicious attack patterns such as botnets. Attacks utilize DGAs to dynamically create pseudorandom domains to evade security detection and successfully connect bots with Command and Controls (C&C) servers. The detection of Algorithmically Generated Domains (AGDs) plays an essential role in network attack detection. Most of the existing DGA detectors are machine learning or deep learning-based methods. However, these DGA detectors perform relatively poorly with insufficient training samples, such as small-scale DGA families and emerging DGA variants. Besides, machine learning-based detectors require sophisticated and time-consuming artificial feature extraction, and attackers can circumvent the extracted features. This paper focuses on accurately detecting DGAs based on siamese network with insufficient training samples. Our proposed DGA detection method is referred to as DGAD-SN. DGAD-SN first introduces contrastive learning and adopts the siamese network framework to construct the feature extractor, which excavates the implicit relationship information between characters in the domain name strings using limited training samples. Then machine learning-based DGA classifiers are trained based on the extracted neural feature vectors of domain names to identify AGDs. Our experimental studies suggest that DGAD-SN can efficiently extract distinguishable neural feature vectors for domain names and outperforms state-of-the-art DGA detectors in identifying small-scale DGA families or emerging DGA variants. Its average accuracy is 10%−15% higher than conventional machine learning-based detection methods and about 1%−2% higher than deep learning-based detection methods using limited training samples.

Xin Fang,Xiaoqing Sun,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.48550/arXiv.2009.09959

2020-09-21

Abstract:DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

Cryptography and Security

You Zhai,Jian Yang,Zixiang Wang,Longtao He,Liqun Yang,Zhoujun Li

DOI: https://doi.org/10.1109/trustcom56396.2022.00056

2022-01-01

Abstract:Recently Command and Control (C&C) servers have attracted considerable attention in botnets and domain generation algorithms (DGAs) further enhance the stealth of C&C servers. However, Algorithmically Generated Domains (AGDs) generated by DGAs can be easily detected by previous DGA detection approaches. More specifically, the previous DGAs are hard to satisfy domain name rules, low repetition rate, and anti-detection in practical scenarios simultaneously. Designing an outstanding DGA has become a crucial issue from the botnet owner’s perspective. To mitigate these problems, we propose Cdga, a Controllable DGA via Generative Adversarial Networks (GAN), which is a popular backbone model for text generation in the natural language processing (NLP) community.Controllable text generation approaches are adopted by Cdga to ensure no repetition in the generated domain names and compliance with the domain rules. In addition to cheating DGA detectors, GANs are exploited to equip Cdga with a powerful anti-detection ability. Furthermore, our proposed method uses the technique of NLP to force the AGDs to meet language rules, where the generated domain names are difficult for recognition by human. By utilizing the time-dependent seed, Cdga can dynamically generate domain names, ensuring that the malware can connect to the C&C server conditioned on a specific time stamp. Experimental results demonstrate that the domain names generated by our method are realistic enough to be resistant to the state-of-the-art DGA detectors.

Luhui Yang,Jiangtao Zhai,Weiwei Liu,Xiaopeng Ji,Huiwen Bai,Guangjie Liu,Yuewei Dai

DOI: https://doi.org/10.3390/sym11020176

2019-01-01

Abstract:In highly sophisticated network attacks, command-and-control (C&C) servers always use domain generation algorithms (DGAs) to dynamically produce several candidate domains instead of static hard-coded lists of IP addresses or domain names. Distinguishing the domains generated by DGAs from the legitimate ones is critical for finding out the existence of malware or further locating the hidden attackers. The word-based DGAs disclosed in recent network attack events have shown significantly stronger stealthiness when compared with traditional character-based DGAs. In word-based DGAs, two or more words are randomly chosen from one or more specific dictionaries to form a dynamic domain, these regularly generated domains aim to mimic the characteristics of a legitimate domain. Existing DGA detection schemes, including the state-of-the-art one based on deep learning, still cannot find out these domains accurately while maintaining an acceptable false alarm rate. In this study, we exploit the inter-word and inter-domain correlations using semantic analysis approaches, word embedding and the part-of-speech are taken into consideration. Next, we propose a detection framework for word-based DGAs by incorporating the frequency distribution of the words and that of part-of-speech into the design of the feature set. Using an ensemble classifier constructed from Naive Bayes, Extra-Trees, and Logistic Regression, we benchmark the proposed scheme with malicious and legitimate domain samples extracted from public datasets. The experimental results show that the proposed scheme can achieve significantly higher detection accuracy for word-based DGAs when compared with three state-of-the-art DGA detection schemes.

Chunyu Han,Yongzheng Zhang

DOI: https://doi.org/10.1109/iccsnt.2017.8343724

2017-01-01

Abstract:Domain plays an important role as one of the components on the Internet, so more and more malicious behavior has been conducted by using domains, such as spam, botnet, phishing and the like. DGA (Domain Generation Algorithm), one kind of DNS technology, has been used by domain-flux commonly in botnets. In this paper, we propose a method called CODDULM (C&c domains Of Dga Detection Using Lexical feature and sparse Matrix). Firstly, it finds the NXDomains (Non-existent domains) on the passive DNS traffic to locate the suspicious infected hosts. Secondly, it selects DGA domains by lexical features according to suspicious infected hosts. Lastly, it discovers DGA C&C (Command and Control) domains through SVM (Support Vector Machine algorithm) classifier. At the end of this paper, we conduct the experiment to verify the effect of the method and the high accuracy of it.

Xiaoyan Hu,Di Li,Miao Li,Guang Cheng,Ruidong Li,Hua Wu

DOI: https://doi.org/10.1016/j.comnet.2024.110770

IF: 5.493

2024-01-01

Computer Networks

Abstract:Many cyber-attacks use Algorithmically Generated Domain (AGD) names to establish connections with command and control servers for subsequent attack behaviors. Identifying and blocking such AGDs helps detect and prevent attacks quickly. Traditional machine or deep learning detection methods rely only on individual domain features and face challenges in accurately distinguishing AGDs that attackers have crafted to evade detection. Thus, researchers leverage the inherent associated features among domains, clients, and resolved IP addresses to detect AGDs. In such research, heterogeneous graph neural networks are extensively employed. However, most existing methods rely on associated features, leading to inaccurate detection of isolated domain nodes. Besides, most existing detection methods employ transductive learning and are time-consuming. This paper proposes an AGD detection method, AHDom, to address these challenges. AHDom models DNS traffic as a Heterogeneous Information Network (HIN) to capture the intricate relationships between domains, clients, and resolved IP addresses. Besides, it extracts character and behavior features as initial attributes of domains to obtain an Attribute HIN (AHIN), enhancing the detection accuracy of isolated domain nodes. Based on the AHIN, it combines meta-path random walk, the inductive learning algorithm GraphSAGE, and the attention mechanism to obtain effective embedding representations of domain nodes. Ultimately, it achieves domain classification based on embedding representations of domain nodes. Our experimental results demonstrate that AHDom is superior to state-of-the-art methods in the performance and efficiency of detecting AGDs. AHDom achieves an average accuracy of 98.74% on our constructed dataset and costs only about 30.23% of the existing best graph neural network approach in the testing time.

Yu Chen,Sheng Yan,Tianyu Pang,Rui Chen

DOI: https://doi.org/10.1109/SSIC.2018.8556788

2018-01-01

Abstract:Domain Generation Algorithm (DGA) technique has been widely used by botnets as a covert command and control (C &C) channel of issuing control or attack commands through various DGA domains. This method can evade blacklisting detection and bring new challenges to the current detection method. This paper extracts feature set which is helpful to differentiate between malicious DGA domains and benign domains, and uses the Support Vector Machine (SVM) algorithm to train the detection model. Experimental results demonstrate that the detection method proposed in this paper is powerful with a high true positive rate 95% and a low false positive rate 1%.

Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera,Ryan R. Curtin,Andrew B. Gardner,Slawomir Grzonkowski,Alexey Kleymenov,Alejandro Mosquera

DOI: https://doi.org/10.1145/3339252.3339258

2019-08-26

Abstract:Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

Chaoyi Zheng,Qian Qiang,Tianning Zang,Wenhan Chao,Yuan Zhou

DOI: https://doi.org/10.1109/msn48538.2019.00057

2019-01-01

Abstract:As DGA (Domain Generation Algorithm) detection technologies and systems become more and more complex, more types of AGD (Algorithmically Generated Domain) appear: Dictionary-based AGD, Hash-based AGD, etc. This paper applies deep learning to the field of network security, proposes a lightweight AGD detection approach, Themis, which can classify domain names into legitimate domain names or AGDs through domain name strings. Themis combines WordNet and GRU to capture the different characteristics of legitimate domain name and AGD for classification. Compared with the prior art, Themis has two differences: 1) Themis is the first approach to detect mixed AGD (Arithmetic-based and Dictionary-based); 2) Themis performs well in detecting unknowns AGD.

yongzheng zhang,jun xiao

DOI: https://doi.org/10.1007/978-3-662-43908-1_17

2014-01-01

Abstract:To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis and Torpig, use Domain Generation Algorithm (DGA) to produce a large number of random domain names dynamically. Then a small subset of these domain names would be selected for actual C&C. Compared with normal domain names, these domain names generated by DGA have significant difference in length, character frequency, etc. Current researches mainly use clustering-classification methods to Detect abnormal domain name. Some of them use NXDomain traffic clustering, other researches based on the classification of string features, such as the distribution of alphanumeric characters and bigram. In fact, domain name has strict hierarchy and each domain level has particular regularities. In this paper, the hierarchical characteristic is introduced into the detection process. We divide the domain name into distinct levels and calculate the characteristic value separately. In each level, we use entropy, bigram and length detections. Because of different efficiency in levels, we design the weigh for each level based on their efficiency. Finally, the level characteristic value of domain name is the weighted average value of levels. Our experiments show that the accuracy of the level-based method is higher than 94 %.

Shaojie Chen,Bo Lang,Yikai Chen,Chong Xie

DOI: https://doi.org/10.3390/app13074406

2023-01-01

Applied Sciences

Abstract:Domain generation algorithms (DGAs) play an important role in network attacks and can be mainly divided into two types: dictionary-based and character-based. Dictionary-based algorithmically generated domains (AGDs) are similar in composition to normal domains and are harder to detect. Although methods based on meaningful word segmentation and n-gram sequence features exhibit good detection performance for AGDs, they are inadequate for mining meaningful word features of domain names, and the performance of hybrid detection of character-based and dictionary-based AGDs needs to be further improved. Therefore, in this paper, we first describe the composition of dictionary-based AGDs using meaningful word segmentation, introduce the standard deviation to better measure the word distribution features, and construct additional 11-dimensional statistical features for word segmentation results as a supplement. Then, by combining 3-gram and 1-gram sequence features, we improve the detection performance for both character-based and dictionary-based AGDs. Finally, we perform feature fusion of the above four kinds of features to achieve an end-to-end detection method for both kinds of AGDs. Experimental results showed that our method achieved an accuracy of 97.24% on the full dataset and better accuracy and F1 values than existing methods on both dictionary-based and character-based AGD datasets.

Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao,Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102803

2022-09-01

Abstract:The botnet relies on the Command and Control (C&C) channels to conduct its malicious activities remotely. The Domain Generation Algorithm (DGA) is often used by botnets to hide their Command and Control (C&C) server and evade take-down attempts, which allows the bot to generate a large number of domain names until it finds its C&C server. The lengths of domain names generated by DGAs are different. Our research finds that the length of the domain name has an impact on the performance of the DGA domain name detection model. In other words, the model is sensitive to the length of the domain name. In this case, attackers can evade detection simply by designing domain names of specific lengths. Moreover, the detection accuracy of DGA domain names still needs to be further improved. To solve these problems, three feature extraction methods adapted to the length of the domain name are proposed in this paper. For extra-short domain names, we use the attention-based method to extract features, which can make use of the character-level semantic feature. For moderate-length domain names, a two-dimensional structure, namely Right Shifted Tensor (RST), is constructed to make the domain name present apparent features similar to images. For the extra-long domain name, the effective classification of domain names can be achieved by manually crafted easy-to-calculate features. Then, different detection structures are designed based on these tree feature extraction methods to form a heterogeneous DGA detection model, namely HAGDetector. In addition, the public suffix is an important part of the domain name. We further analyze the public suffix to evaluate its impact on the detection of DGA domain names. Finally, the experiments are conducted to assess the validity of HAGDetector, as well as compare our approach with the current state-of-the-art and highlight the impact of the domain name length. The experimental results show that our method greatly improves the detection performance.

computer science, information systems