Detecting DGA domains with recurrent neural networks and side information

10/04/2018
by   Ryan R. Curtin, et al.
0

Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/30/2022

Detecting Unknown DGAs without Context Information

New malware emerges at a rapid pace and often incorporates Domain Genera...
research
11/05/2020

Towards Dark Jargon Interpretation in Underground Forums

Dark jargons are benign-looking words that have hidden, sinister meaning...
research
12/12/2019

Exploiting Statistical and Structural Features for the Detection of Domain Generation Algorithms

Nowadays, malware campaigns have reached a high level of sophistication,...
research
10/06/2016

DeepDGA: Adversarially-Tuned Domain Generation and Detection

Many malware families utilize domain generation algorithms (DGAs) to est...
research
11/02/2016

Predicting Domain Generation Algorithms with Long Short-Term Memory Networks

Various families of malware use domain generation algorithms (DGAs) to g...
research
08/06/2020

Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

A crucial technical challenge for cybercriminals is to keep control over...
research
09/02/2022

TypoSwype: An Imaging Approach to Detect Typo-Squatting

Typo-squatting domains are a common cyber-attack technique. It involves ...

Please sign up or login with your details

Forgot password? Click here to reset