论文信息 - Finding Domain-Generation Algorithms by Looking at Length Distribution

Finding Domain-Generation Algorithms by Looking at Length Distribution

In order to detect malware that uses domain fluxing to circumvent blacklisting, it is useful to be able to discover new domain-generation algorithms (DGAs) that are being used to generate algorithmically-generated domains (AGDs). This paper presents a procedure for discovering DGAs from Domain Name Service (DNS) query data. It works by identifying client IP addresses with an unusual distribution of second-level string lengths in the domain names that they query. Running this fairly simple procedure on 5 days' data from a large enterprise network uncovered 19 different DGAs, nine of which have not been identified as previously-known. Samples and statistical information about the DGA domains are given.

Miranda Mowbray | Josiah Hagen | M. Mowbray | Josiah Hagen

[1] Roberto Perdisci,et al. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[2] Christopher Krügel,et al. Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[3] Stefano Zanero,et al. Phoenix: DGA-Based Botnet Tracking and Intelligence , 2014, DIMVA.

[4] Leyla Bilge,et al. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[5] Wenke Lee,et al. Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[6] Sandeep Yadav,et al. Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[7] Elmar Gerhards-Padilla,et al. Automatic Extraction of Domain Name Generation Algorithms from Current Malware , 2012 .

[8] Radford M. Neal. Pattern Recognition and Machine Learning , 2007, Technometrics.

[9] Nasser M. Nasrabadi,et al. Pattern Recognition and Machine Learning , 2006, Technometrics.

[10] Ahmed Serhrouchni,et al. Privacy-preserving domain-flux botnet detection in a large scale network , 2013, 2013 Fifth International Conference on Communication Systems and Networks (COMSNETS).

[11] Aziz Mohaisen,et al. Kindred domains: detecting and clustering botnet domains using DNS traffic , 2014, WWW.