Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

03/28/2020
by   Kate Highnam, et al.
0

Botnets and malware continue to avoid detection by static rules engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the `bagging` model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large financial enterprise. In four hours of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.

READ FULL TEXT

page 4

page 7

research
08/06/2022

Detecting Algorithmically Generated Domains Using a GCNN-LSTM Hybrid Neural Network

Domain generation algorithm (DGA) is used by botnets to build a stealthy...
research
11/02/2016

Predicting Domain Generation Algorithms with Long Short-Term Memory Networks

Various families of malware use domain generation algorithms (DGAs) to g...
research
01/02/2021

Improving DGA-Based Malicious Domain Classifiers for Malware Defense with Adversarial Machine Learning

Domain Generation Algorithms (DGAs) are used by adversaries to establish...
research
04/15/2021

Ransomware Detection Using Deep Learning in the SCADA System of Electric Vehicle Charging Station

The Supervisory control and data acquisition (SCADA) systems have been c...
research
05/04/2022

Early Detection of Spam Domains with Passive DNS and SPF

Spam domains are sources of unsolicited mails and one of the primary veh...
research
08/06/2020

Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

A crucial technical challenge for cybercriminals is to keep control over...
research
06/19/2018

Deep Learning Classification of 3.5 GHz Band Spectrograms with Applications to Spectrum Sensing

In the United States, the Federal Communications Commission has adopted ...

Please sign up or login with your details

Forgot password? Click here to reset