Which DGA Family does A Malicious Domain Name Belong To

The Domain Generation Algorithm (DGA) is a technology that generates a large amount of domains in a short time, commonly applied to malware by malicious attackers to circumvent the security mechanisms, such as domain blacklist. Besides discovering DGA domains, identifying DGA families also is significant for detecting and analyzing malware, which provides security professionals with the perspective of comprehensive analysis. In this paper, we investigate 22 different DGA families and propose an effective approach to portray and classify DGA families, which utilizes the strong host association and family portrait to identify different DGA families among massive DGA domains. The approach mitigates the hurdle caused by the nearly 100 times data difference among different families, implementing DGA family clustering. The experimental results show that the proposed approach identifies all of the DGA families accurately in the network that contains six families.

[1]  Hyrum S. Anderson,et al.  Predicting Domain Generation Algorithms with Long Short-Term Memory Networks , 2016, ArXiv.

[2]  Philipp Koehn,et al.  Proceedings of the 2007 Joint Conference on Empirical Methods in Natural Language Processing and Computational Natural Language Learning (EMNLP-CoNLL) , 2007 .

[3]  Mattia Zago,et al.  UMUDGA: A dataset for profiling algorithmically generated domain names in botnet detection , 2020, Data in brief.

[4]  Ulrike Meyer,et al.  FANCI : Feature-based Automated NXDomain Classification and Intelligence , 2018, USENIX Security Symposium.

[5]  Martine De Cock,et al.  Character Level based Detection of DGA Domain Names , 2018, 2018 International Joint Conference on Neural Networks (IJCNN).

[6]  Johannes Bader,et al.  A Comprehensive Measurement Study of Domain Generating Malware , 2016, USENIX Security Symposium.

[7]  Zeng Feng,et al.  Classification for DGA-Based Malicious Domain Names with Deep Learning Architectures , 2017 .

[8]  Hui-Tang Lin,et al.  DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis , 2017, Comput. Secur..

[9]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[10]  Julia Hirschberg,et al.  V-Measure: A Conditional Entropy-Based External Cluster Evaluation Measure , 2007, EMNLP.

[11]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[12]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[13]  Wouter Joosen,et al.  Detection of algorithmically generated domain names used by botnets: a dual arms race , 2019, SAC.

[14]  Yuewei Dai,et al.  A Novel Detection Method for Word-Based DGA , 2018, ICCCS.

[15]  Martine De Cock,et al.  Algorithmically Generated Domain Detection and Malware Family Classification , 2018, SSCC.

[16]  The “ silent ” resurrection of the notorious Srizbi kernel spambot , .

[17]  Elmar Gerhards-Padilla,et al.  Automatic Extraction of Domain Name Generation Algorithms from Current Malware , 2012 .

[18]  Pierre Lison,et al.  Automatic Detection of Malware-Generated Domains with Recurrent Neural Models , 2017, ArXiv.

[19]  Sandeep Yadav,et al.  Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.