Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Hongyu Yang,Tao Zhang,Ze Hu,Liang Zhang,Xiang Cheng

DOI: https://doi.org/10.1109/trustcom60117.2023.00099

2024-01-01

Abstract:The domain name features used in the existing domain name detection methods about domain generation algorithm (DGA) are generally easy to evade, which results in some common DGA domain name detection methods failing to effectively detect the DGA domain name. To solve the issues, we propose a DGA domain name detection method based on two-stage feature reinforcement. Firstly, we encode the domain name to obtain the domain name word vector. Secondly, the slice pyramid network (SPN) is used to process the word vector to extract the domain name feature. Thirdly, we reinforce the domain name feature by using the two-stage reinforcement method we proposed. The two-stage reinforcement method reinforces the domain name feature by adding domain name semantic information to the extracted features and reducing feature information redundancy to improve the stability of the domain name feature, meanwhile, we convert the reinforced domain name feature to the primary capsules to reduce feature loss. Finally, we use the dynamic routing algorithm to process the primary capsules to generate digital capsules, and then the digital capsules are used to detect domain names. Experimental results on domain name detection and domain name family classification both show that compared with the state-of-the-art methods, our method has better detection performances.

Xiaoyang Liu,Jiamiao Liu

DOI: https://doi.org/10.1007/s00521-022-06904-3

2022-01-31

Neural Computing and Applications

Abstract:For the current mainstream DGA domain name detection methods, scalars are almost used to represent numerical features, resulting in the loss of the spatial feature information of domain name characters. This paper proposes a sequence capsule network based on the k-means routing algorithm, LSTM-CapsNet, which only uses DGA domain name text information for detection. The model uses a bidirectional LSTM unit to extract basic features for the capsule network and uses the k-means algorithm to cluster vector features to implement routing functions. In order to verify the proposed LSTM-CapsNet model, data from two different sources are collected to ensure the reliability of the experiment, covering the DGA domain name dataset from the real network defined as Real-Dataset, and the DGA domain name obtained through the domain name generation algorithm is defined as Gen-Dataset. The current DGA domain name detection method of state-of-the-art proposed by researchers is compared and tested on two data sets. The experimental results show that the proposed model has achieved 99.17% and 97.75% of the F-score evaluation indicators in the DGA domain name recognition of the two datasets; at the same time, the recognition of the DGA domain name family has been very competitive. Compared with the existing DGA domain name family classification model, the F-score value of the proposed model exceeds 89% in Gen-Dataset multi-class recognition. This model not only improves the ability of DGA domain name recognition and DGA domain name family recognition but also has an outstanding ability to find real-time aspects in model testing.

computer science, artificial intelligence

Xin Fang,Xiaoqing Sun,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.48550/arXiv.2009.09959

2020-09-21

Abstract:DGA-based botnet, which uses Domain Generation Algorithms (DGAs) to evade supervision, has become a part of the most destructive threats to network security. Over the past decades, a wealth of defense mechanisms focusing on domain features have emerged to address the problem. Nonetheless, DGA detection remains a daunting and challenging task due to the big data nature of Internet traffic and the potential fact that the linguistic features extracted only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel DGA detection system which employs an incremental word-embeddings method to capture the interactions between end hosts and domains, characterize time-series patterns of DNS queries for each IP address and therefore explore temporal similarities between domains. We carefully modify the Word2Vec algorithm and leverage it to automatically learn dynamic and discriminative feature representations for over 1.9 million domains, and develop an simple classifier for distinguishing malicious domains from the benign. Given the ability to identify temporal patterns of domains and update models incrementally, the proposed scheme makes the progress towards adapting to the changing and evolving strategies of DGA domains. Our system is evaluated and compared with the state-of-art system FANCI and two deep-learning methods CNN and LSTM, with data from a large university's network named TUNET. The results suggest that our system outperforms the strong competitors by a large margin on multiple metrics and meanwhile achieves a remarkable speed-up on model updating.

Cryptography and Security

Ling Ding,Peng Du,Haiwei Hou,Jian Zhang,Di Jin,Shifei Ding

DOI: https://doi.org/10.1016/j.bdr.2023.100395

IF: 3.3

2023-05-13

Big Data Research

Abstract:One of the severest threats to cyber security is botnet, which typically uses domain names generated by Domain Generation Algorithms (DGAs) to communicate with their Command and Control (C&C) infrastructure. DGA detection and classification play an important role of assisting cyber security researchers to detect botnet C&C servers. However, many of the existing DGA detection models only focus on single scale word embedding method, and very few models are specially designed to extract more effective features for DGA detection from multiple scales word embedding. To alleviate above questions, first we propose a hybrid word embedding method, which combines character level embedding and bigram level embedding to make full use of the domain names information, and then, we design a deep neural network with hybrid embedding method to distinguish DGA domains from known legitimate domains. Finally, we evaluate our hybrid embedding method and the proposed model on ONIST dataset and compare our methods with several state-of-the-art DGA classification methods.

computer science, information systems, artificial intelligence, theory & methods

yongzheng zhang,jun xiao

DOI: https://doi.org/10.1007/978-3-662-43908-1_17

2014-01-01

Abstract:To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis and Torpig, use Domain Generation Algorithm (DGA) to produce a large number of random domain names dynamically. Then a small subset of these domain names would be selected for actual C&C. Compared with normal domain names, these domain names generated by DGA have significant difference in length, character frequency, etc. Current researches mainly use clustering-classification methods to Detect abnormal domain name. Some of them use NXDomain traffic clustering, other researches based on the classification of string features, such as the distribution of alphanumeric characters and bigram. In fact, domain name has strict hierarchy and each domain level has particular regularities. In this paper, the hierarchical characteristic is introduced into the detection process. We divide the domain name into distinct levels and calculate the characteristic value separately. In each level, we use entropy, bigram and length detections. Because of different efficiency in levels, we design the weigh for each level based on their efficiency. Finally, the level characteristic value of domain name is the weighted average value of levels. Our experiments show that the accuracy of the level-based method is higher than 94 %.

Yu Chen,Sheng Yan,Tianyu Pang,Rui Chen

DOI: https://doi.org/10.1109/SSIC.2018.8556788

2018-01-01

Abstract:Domain Generation Algorithm (DGA) technique has been widely used by botnets as a covert command and control (C &C) channel of issuing control or attack commands through various DGA domains. This method can evade blacklisting detection and bring new challenges to the current detection method. This paper extracts feature set which is helpful to differentiate between malicious DGA domains and benign domains, and uses the Support Vector Machine (SVM) algorithm to train the detection model. Experimental results demonstrate that the detection method proposed in this paper is powerful with a high true positive rate 95% and a low false positive rate 1%.

Xiaodong Zang,Jianbo Cao,Xinchang Zhang,Jian Gong,Guiqing Li

DOI: https://doi.org/10.1007/s11235-023-01073-7

2024-01-01

Telecommunication Systems

Abstract:Botnets are one of the major threats to network security nowadays. To carry out malicious actions remotely, they heavily rely on Command and Control channels. DGA-based botnets use a domain generation algorithm to generate a significant number of domain names. By analyzing the linguistic distinctions between legitimate and DGA-based domain names, traditional machine learning schemes obtain great benefits. However, it is difficult to identify the ones based on wordlists or pseudo-random generated. Accordingly, this paper proposes an efficient CNN-LSTM-based detection model (BotDetector) that uses only a set of simple-to-compute, easy-to-compute character features. We evaluate our model with two open-source benchmark datasets (360 netlab, Bambenek) and real DNS traffic from the China Education and Research Network. Experimental results demonstrate that our algorithm improves by 1.6 % in terms of accuracy and F1-score and reduces the computation time by 9.4 % compared to other state-of-the-art alternatives. Remarkably, our work can identify botnet’s covert communication channels that use domain names based on word lists or pseudo-random generation without any help of reverse engineering.

Chunyu Han,Yongzheng Zhang

DOI: https://doi.org/10.1109/iccsnt.2017.8343724

2017-01-01

Abstract:Domain plays an important role as one of the components on the Internet, so more and more malicious behavior has been conducted by using domains, such as spam, botnet, phishing and the like. DGA (Domain Generation Algorithm), one kind of DNS technology, has been used by domain-flux commonly in botnets. In this paper, we propose a method called CODDULM (C&c domains Of Dga Detection Using Lexical feature and sparse Matrix). Firstly, it finds the NXDomains (Non-existent domains) on the passive DNS traffic to locate the suspicious infected hosts. Secondly, it selects DGA domains by lexical features according to suspicious infected hosts. Lastly, it discovers DGA C&C (Command and Control) domains through SVM (Support Vector Machine algorithm) classifier. At the end of this paper, we conduct the experiment to verify the effect of the method and the high accuracy of it.

Luhui Yang,Jiangtao Zhai,Weiwei Liu,Xiaopeng Ji,Huiwen Bai,Guangjie Liu,Yuewei Dai

DOI: https://doi.org/10.3390/sym11020176

2019-01-01

Abstract:In highly sophisticated network attacks, command-and-control (C&C) servers always use domain generation algorithms (DGAs) to dynamically produce several candidate domains instead of static hard-coded lists of IP addresses or domain names. Distinguishing the domains generated by DGAs from the legitimate ones is critical for finding out the existence of malware or further locating the hidden attackers. The word-based DGAs disclosed in recent network attack events have shown significantly stronger stealthiness when compared with traditional character-based DGAs. In word-based DGAs, two or more words are randomly chosen from one or more specific dictionaries to form a dynamic domain, these regularly generated domains aim to mimic the characteristics of a legitimate domain. Existing DGA detection schemes, including the state-of-the-art one based on deep learning, still cannot find out these domains accurately while maintaining an acceptable false alarm rate. In this study, we exploit the inter-word and inter-domain correlations using semantic analysis approaches, word embedding and the part-of-speech are taken into consideration. Next, we propose a detection framework for word-based DGAs by incorporating the frequency distribution of the words and that of part-of-speech into the design of the feature set. Using an ensemble classifier constructed from Naive Bayes, Extra-Trees, and Logistic Regression, we benchmark the proposed scheme with malicious and legitimate domain samples extracted from public datasets. The experimental results show that the proposed scheme can achieve significantly higher detection accuracy for word-based DGAs when compared with three state-of-the-art DGA detection schemes.

Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao,Jianbing Liang,Shuhui Chen,Ziling Wei,Shuang Zhao,Wei Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102803

2022-09-01

Abstract:The botnet relies on the Command and Control (C&C) channels to conduct its malicious activities remotely. The Domain Generation Algorithm (DGA) is often used by botnets to hide their Command and Control (C&C) server and evade take-down attempts, which allows the bot to generate a large number of domain names until it finds its C&C server. The lengths of domain names generated by DGAs are different. Our research finds that the length of the domain name has an impact on the performance of the DGA domain name detection model. In other words, the model is sensitive to the length of the domain name. In this case, attackers can evade detection simply by designing domain names of specific lengths. Moreover, the detection accuracy of DGA domain names still needs to be further improved. To solve these problems, three feature extraction methods adapted to the length of the domain name are proposed in this paper. For extra-short domain names, we use the attention-based method to extract features, which can make use of the character-level semantic feature. For moderate-length domain names, a two-dimensional structure, namely Right Shifted Tensor (RST), is constructed to make the domain name present apparent features similar to images. For the extra-long domain name, the effective classification of domain names can be achieved by manually crafted easy-to-calculate features. Then, different detection structures are designed based on these tree feature extraction methods to form a heterogeneous DGA detection model, namely HAGDetector. In addition, the public suffix is an important part of the domain name. We further analyze the public suffix to evaluate its impact on the detection of DGA domain names. Finally, the experiments are conducted to assess the validity of HAGDetector, as well as compare our approach with the current state-of-the-art and highlight the impact of the domain name length. The experimental results show that our method greatly improves the detection performance.

computer science, information systems

Ji Huang,Yongzheng Zhang,Peng Chang,Yupeng Tuo

DOI: https://doi.org/10.1109/ict52184.2021.9511517

2021-01-01

Abstract:Many botnets adopt domain generation algorithms (DGAs) to set up stealthy Command & Control (C2) communication. A DGA generates a great number of domain names and the attacker selects some of them to map to the C2 servers. In this paper, we propose Talos, a DGA detection approach to detect unknown DGAs and also known DGAs accurately. The key insight of Talos is that domain names can be represented by feature vectors satisfying the condition that distances between the feature vectors can reflect whether they are of the same class. Talos uses a neural language model to extract the feature vector of a domain name. After that, Talos determines if the feature vector belongs to a class based on whether it is within the boundary of the class and near the centroid of the class. We evaluate the detection ability of Talos on both unknown and known DGAs. Our experimental results show that Talos achieves recall over 92% on unknown classes and F1-score over 95% on known classes. We also compare Talos with state-of-the-art detection approaches and find that Talos's ability to detect unknown DGAs largely surpasses them.

Haoran Jiao,Qing Wang,Zhaoshan Fan,Junrong Liu,Dan Du,Ning Li,Yuling Liu

DOI: https://doi.org/10.1109/icccn54977.2022.9868932

2022-01-01

Abstract:Nowadays, malware uses Algorithmically Generated Domains (AGDs) to establish communication with Command and Control (C&C) servers. Dictionary based Domain Generation Algorithm (DGA) selects words from the frequently changed dictionaries to generate AGDs similar to benign domains, which degrades the accuracy of string based detection method. To combat this, we propose a DGA detection method based on DomainGraph and GCN (Graph Convolutional Network) which detects cross-dictionary AGDs based on the association relation between domains instead of lexical features. Starting from the association relation between domains rather than the lexical features of the domain itself, we can detect the unknown AGDs from a known AGD, regardless of the DGA dictionary they use. The proposed method exploits the fact that string association of benign domains is weak, while AGDs' association is strong. DGGCN composes a domain segmentation method, constructs a graph composed of domains (DomainGraph) based on segmentations and adopts GCN to detect AGDs. We conduct the experiments on public datasets under three settings: detecting AGDs generated by familiar dictionaries, unfamiliar dictionaries and confusing dictionaries. The results reveal that DGGCN can detect cross-dictionary AGDs similar to benign domains more accurately and robustly.

Zhicheng Liu,Xiaochun Yun,Yongzheng Zhang,Yipeng Wang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00027

2019-01-01

Abstract:Botnet is a part of the most destructive threats to network security and is often used in malicious activities. DGA-based botnet, which uses Domain Generation Algorithm (DGA) to evade detection, has become the main channel to carry out online crimes. In the past, many detection mechanisms focusing on domain features are proposed, but the potential problem is that the features extracting only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic. The analysis of group behaviors enhances the robustness of our system irrespective of various evasion techniques, such as fake-querying, packet encryption and noise generated by normal users. The proposed scheme associates hosts together in an unsupervised way and then uses supervised learning to distinguish whether it's a botnet. Our system is evaluated in a large ISP over two days and compared with the state of art FANCI. Experimental results show that CCGA can accurately and effectively detect DGA-based botnet in a real-world network. Our system also catches 5 unknown botnet groups and provides a novel method to verify them. Therefore, the system will provide an unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Nguyen Tan Cam,Nguyen Ngoc Man

DOI: https://doi.org/10.1007/s10586-024-04363-0

2024-03-29

Cluster Computing

Abstract:Recent developments in information technology have brought numerous benefits but have also created risks for information security. One notable threat is the domain generated by the algorithm (DGA) technique used by botnets, which allows them to automatically generate and register multiple domains to evade detection and control from network security systems. To address this issue, we conducted research on a domain classification model specific to botnet-generated domains. We developed three domain classification models: bigrams, long short-term memory networks (LSTM), and a combination of LSTM and one-hot encoding. In this study, we implemented an ensemble model using a domain classification system, named UIT-DGADetector. To optimize the system, we employed Kafka to queue and streamline the requests, thereby reducing the load on the classification server. The deployed system operates well and achieves a high accuracy rate in predicting the domain types. However, this model still has limitations in predicting Word-based DGA botnets. The process must be optimized to reduce the waiting time in the queue. This study aims to contribute to network security and information protection, particularly by addressing the issue of DGA botnets.

computer science, information systems, theory & methods

Mingkai Tong,Xiaoqing Sun,Jiahai Yang,Hui Zhang,Shuang Zhu,Xinran Liu,Heng Liu

DOI: https://doi.org/10.1007/978-3-030-29551-6_41

2019-01-01

Abstract:Modern malware typically uses domain generation algorithm (DGA) to avoid blacklists. However, it still leaks trace by causing excessive Non-existent domain responses when trying to contact with the command and control (C&C) servers. In this paper, we propose a novel system named D3N to detect DGA domains by analyzing NXDomains with deep learning methods. The experiments show that D3N yields 99.7% TPR and 1.9% FPR, outperforming FANCI in both accuracy and efficiency. Besides, our real-world evaluation in a large-scale network demonstrates that D3N is robust in different networks.

Huiju Lee,Jeong Do Yoo,Seonghoon Jeong,Huy Kang Kim

DOI: https://doi.org/10.1109/access.2024.3454242

IF: 3.9

2024-09-10

IEEE Access

Abstract:Attackers are known to utilize domain generation algorithms (DGAs) to generate domain names for command and control (C&C) servers and facilitate the distribution of uniform resource locators within malicious software. DGAs pose a significant threat to cybersecurity owing to their ability to dynamically generate unpredictable domain names. Extensive research is currently underway to detect the domain names created using DGAs. However, the high false positive rates when handling benign domain names in non-English languages pose a challenge. Thus, this study proposes a DGA detection method that effectively embeds non-English domain names to focus on Chinese domain names, which are referred to as domain names composed of Pinyin. The proposed method segments domain names into meaningful subwords for effective vector representation. Consequently, the FastText model learns the context information of the segmented subwords and embeds the domain name. Further, the deep learning-based detection model learns the vectorized domain names and determines whether a particular domain name is DGA-generated. We labeled the Chinese domain names among the benign domain names for our experiment. The experimental results show that the proposed method outperforms existing methods across all performance metrics on the entire test dataset. Notably, the proposed method minimizes the false positive rate, thereby enhancing detection reliability. In addition, it exhibits high performance, achieving a recall of 0.9873 and 0.9886 for Chinese and English domain names, respectively. This demonstrates that the proposed method consistently delivers high performance across various metrics and languages.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yang Chen,Shuai Zhang,Jing Liu,Bo Li

DOI: https://doi.org/10.1109/smartcloud.2018.00039

2018-01-01

Abstract:Domain generation algorithms, called DGAs, are used to generate a lot of pseudo-random domain names. The malware can connect to a command & control(C2) server through these domains, which will cause large threats to network security. Most of previous researches are based on large sets of domains or manual feature extractions. To tackle this issue, current studies pay more attention to deep learning, such as LSTM. However, it is difficult to learn reasonable expression when the domain is long. In this paper, we propose a LSTM model incorporating with attention mechanism, in which attention will focus on more important substrings in domains and improve the expression of domains. The experimental results in real-life datasets demonstrate our model has a priority in both false alarm rate decreased to 1.29% and false negative rate reduced to 0.76%. Furthermore, our model also has a better performance in multilabel detection.

Xiaoyan Hu,Hao Chen,Miao Li,Guang Cheng,Ruidong Li,Hua Wu,Yali Yuan

DOI: https://doi.org/10.1109/tifs.2023.3293956

IF: 7.231

2023-08-05

IEEE Transactions on Information Forensics and Security

Abstract:Botnets extensively leverage Domain Generation Algorithms (DGAs) to establish reliable communication channels between bots and Command and Control (C&C) servers. Numerous character-level DGA classifiers have been extensively studied to detect and classify domain names generated by DGAs. Meanwhile, a series of adversarial domain generation algorithms have been proposed to evade DGA classifiers. Although the existing domain name generation algorithms have progressed against DGA classifier, their anti-detection abilities are still weak. This paper proposes a Bidirectional Long Short-Term Memory (BiLSTM) network-based adversarial DGA with high anti-detection ability, referred to as ReplaceDGA. ReplaceDGA requires no knowledge of the targeted DGA classifiers. It first builds a prediction model for benign domain names using the BiLSTM network to model the semantic relationship hidden within benign domain names and then replaces two characters of each input benign domain name based on the prediction model to maximize the similarity between the benign and generated domain names. Our experimental results validate that ReplaceDGA successfully evades various character-level DGA classifiers even after they are retrained by domain names generated by ReplaceDGA and outperforms the state-of-the-art adversarial DGAs in anti-detection ability, repetition rate, and collision rate. Our study of ReplaceDGA promotes the urgent need for developing more comprehensive and robust DGA classifiers that consider other factors besides character-level information of domain names.

computer science, theory & methods,engineering, electrical & electronic