Detecting the DGA-Based Malicious Domain Names
暂无分享,去创建一个
To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis and Torpig, use Domain Generation Algorithm (DGA) to produce a large number of random domain names dynamically. Then a small subset of these domain names would be selected for actual C&C. Compared with normal domain names, these domain names generated by DGA have significant difference in length, character frequency, etc. Current researches mainly use clustering-classification methods to Detect abnormal domain name. Some of them use NXDomain traffic clustering, other researches based on the classification of string features, such as the distribution of alphanumeric characters and bigram. In fact, domain name has strict hierarchy and each domain level has particular regularities. In this paper, the hierarchical characteristic is introduced into the detection process. We divide the domain name into distinct levels and calculate the characteristic value separately. In each level, we use entropy, bigram and length detections. Because of different efficiency in levels, we design the weigh for each level based on their efficiency. Finally, the level characteristic value of domain name is the weighted average value of levels. Our experiments show that the accuracy of the level-based method is higher than 94 %.
[1] Sandeep Yadav,et al. Detecting algorithmically generated malicious domain names , 2010, IMC '10.
[2] R. Villamarin-Salomon,et al. Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.
[3] Christopher Krügel,et al. Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.
[4] Sandeep Yadav,et al. Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.