Predicting Domain Generation Algorithms with Long Short-Term Memory Networks

11/02/2016
by   Jonathan Woodbridge, et al.
0

Various families of malware use domain generation algorithms (DGAs) to generate a large number of pseudo-random domain names to connect to a command and control (C&C) server. In order to block DGA C&C traffic, security organizations must first discover the algorithm by reverse engineering malware samples, then generating a list of domains for a given seed. The domains are then either preregistered or published in a DNS blacklist. This process is not only tedious, but can be readily circumvented by malware authors using a large number of seeds in algorithms with multivariate recurrence properties (e.g., banjori) or by using a dynamic list of seeds (e.g., bedep). Another technique to stop malware from using DGAs is to intercept DNS queries on a network and predict whether domains are DGA generated. Such a technique will alert network administrators to the presence of malware on their networks. In addition, if the predictor can also accurately predict the family of DGAs, then network administrators can also be alerted to the type of malware that is on their networks. This paper presents a DGA classifier that leverages long short-term memory (LSTM) networks to predict DGAs and their respective families without the need for a priori feature extraction. Results are significantly better than state-of-the-art techniques, providing 0.9993 area under the receiver operating characteristic curve for binary classification and a micro-averaged F1 score of 0.9906. In other terms, the LSTM technique can provide a 90 with a 1:10000 false positive (FP) rate---a twenty times FP improvement over comparable methods. Experiments in this paper are run on open datasets and code snippets are provided to reproduce the results.

READ FULL TEXT

page 1

page 8

page 9

page 12

research
03/03/2021

Malware Classification Using Long Short-Term Memory Models

Signature and anomaly based techniques are the quintessential approaches...
research
08/06/2022

Detecting Algorithmically Generated Domains Using a GCNN-LSTM Hybrid Neural Network

Domain generation algorithm (DGA) is used by botnets to build a stealthy...
research
03/28/2020

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

Botnets and malware continue to avoid detection by static rules engines ...
research
01/02/2021

Improving DGA-Based Malicious Domain Classifiers for Malware Defense with Adversarial Machine Learning

Domain Generation Algorithms (DGAs) are used by adversaries to establish...
research
11/21/2018

Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings

Domain generation algorithms (DGAs) are frequently employed by malware t...
research
01/12/2023

Open SESAME: Fighting Botnets with Seed Reconstructions of Domain Generation Algorithms

An important aspect of many botnets is their capability to generate pseu...
research
10/04/2018

Detecting DGA domains with recurrent neural networks and side information

Modern malware typically makes use of a domain generation algorithm (DGA...

Please sign up or login with your details

Forgot password? Click here to reset