ABSTRACT
DNS protocol has been used by many malwares for command-and-control (C&C). To improve the resiliency of C&C communication, Domain Generation Algorithm (DGA) has been utilized by recent malwares such as Locky, Conficker and Zeus. Many detection systems have been introduced for DGA-based botnets detection. However, such botnets detection approaches suffer from several limitations, for instance, requiring a group of DGA domains, period behaviors, the presence of multiple bots, and so forth. It is very hard for them to detect an individually running DGA-based malware which leave only a few traces. In this paper, we develop DGASensor to detect DGA-based malwares immediately by identifying a single DGA domain using lexical evidence. First, DGASensor automatically analyzes the lexical patterns of the most popular domains listed in Alexa top 100,000, and then extracts two templates, namely distribution template and structure template. Second, the above two templates, pronounceable attributes, and some frequently used properties like entropy and length, are used to extract features from a single domain. Third, we train our classifier using a non-DGA dataset consisting of domains obtained from Alexa rank and a DGA dataset generated by known DGAs. At last, we provide a short word filter to decrease the false positive rate. We implement a prototype system and evaluate it using the above training dataset with 10-fold cross validation. Moreover, a set of real world DNS traffic collected from a recursive DNS server is used to measure real world performance of our system. The results show that DGASensor detects DGA domains with accuracy 93% in our training dataset and is able to identify a variety of malwares in the real world dataset with an extremely high processing capability.
- Infoblox DNS Threat Index in Q1 2016, https://www.infoblox.com/dns-threat-indexGoogle Scholar
- Locky: the encryptor taking the world by storm, https://securelist.com/blog/research/74398/locky-the-encryptor-taking-the-world-by-storm/Google Scholar
- Kwon, J., Lee, J., Lee, H., & Perrig, A. 2016. PsyBoG: a scalable botnet detection method for large-scale DNS traffic. Computer Networks, 97, 48--73. Google ScholarDigital Library
- Sharifnya, R., & Abadi, M. 2013, October. A novel reputation system to detect DGA-based botnets. In Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on (pp. 417--423). IEEE.Google Scholar
- Bilge, L., Kirda, E., Kruegel, C., & Balduzzi, M. 2011, February. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In NDSS.Google Scholar
- Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., & Dagon, D. 2012. From throw-away traffic to bots: detecting the rise of DGA-based malware. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12) (pp. 491--506). Google ScholarDigital Library
- Schiavoni, S., Maggi, F., Cavallaro, L., & Zanero, S. 2014, July. Phoenix: DGA-based botnet tracking and intelligence. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 192--211). Springer International Publishing.Google Scholar
- Johannes Bader's Blog, https://johannesbader.ch/Google Scholar
- Yadav, S., Reddy, A. K. K., Reddy, A. L., & Ranjan, S. 2010, November. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement (pp. 48--61). ACM. Google ScholarDigital Library
- Yadav, S., & Reddy, A. N. 2011, September. Winning with DNS failures: Strategies for faster botnet detection. In International Conference on Security and Privacy in Communication Systems (pp. 446--459). Springer Berlin Heidelberg.Google Scholar
- Choi, H., Lee, H., & Kim, H. 2009, June. BotGAD: detecting botnets by capturing group activities in network traffic. In Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE (p. 2). ACM. Google ScholarDigital Library
- Manadhata, P. K., Yadav, S., Rao, P., & Horne, W. 2014, September. Detecting malicious domains via graph inference. In European Symposium on Research in Computer Security (pp. 1--18). Springer International Publishing.Google Scholar
- A Deep Dive into Domain Generating Malware, https://www.botconf.eu/wp-content/uploads/2015/12/OK-P06-Plohmann-DGArchive.pdfGoogle Scholar
- Wressnegger, C., Schwenk, G., Arp, D., & Rieck, K. 2013, November. A close look on n-grams in intrusion detection: anomaly detection vs. classification. In Proceedings of the 2013 ACM workshop on Artificial intelligence and security (pp. 67--76). ACM. Google ScholarDigital Library
- Infoblox DNS Threat Index in Q1 2016, https://www.infoblox.com/dns-threat-indexGoogle Scholar
- The Bro Network Security Monitor, https://www.bro.orgGoogle Scholar
- Scikit-Learn Feature Selection, http://scikit-learn.org/stable/modules/\\feature\_selection.htmlGoogle Scholar
- Liaw, A., & Wiener, M. 2002. Classification and regression by randomForest. R news, 2(3), 18--22.Google Scholar
- The Spamhaus Project, https://www.spamhaus.org/.Google Scholar
Recommendations
Social network-based botnet command-and-control: emerging threats and countermeasures
ACNS'10: Proceedings of the 8th international conference on Applied cryptography and network securityBotnets have become a major threat in cyberspace. In order to effectively combat botnets, we need to understand a botnet's Command-and-Control (C&C), which is challenging because C&C strategies and methods evolve rapidly. Very recently, botmasters have ...
GQ: practical containment for measuring modern malware systems
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceMeasurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand ...
GMAD: Graph-based Malware Activity Detection by DNS traffic analysis
Malicious activities on the Internet are one of the most dangerous threats to Internet users and organizations. Malicious software controlled remotely is addressed as one of the most critical methods for executing the malicious activities. Since ...
Comments