research-article

Detecting DGA Botnet based on Malware Behavior Analysis

Authors:

Dong Le,

Huu Trung NguyenAuthors Info & Claims

SoICT '22: Proceedings of the 11th International Symposium on Information and Communication Technology

Pages 158 - 164

https://doi.org/10.1145/3568562.3568590

Published: 01 December 2022 Publication History

Get Access

Abstract

DGA botnet uses the Domain Generation Algorithm to generate domains that are used to establish the connection between malware bots and malicious actors. It has become a serious threat to internet-connected systems. Detection of DGA botnets is a challenging task due to its complexity and performance issues when processing a great amount of data from real-time large-scale networks. In this paper, we propose and develop a DGA botnet detection method using the combination of the Long Short-Term Memory network (LSTM) and network traffic analysis. We also propose a set of rules that can be used for detecting various DGA malware behaviors. Our method recognizes even hard-to-detect dictionary DGAs such as suppobox and matsnu, while providing an F1-score of 0.9888.

References

[1]

Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. (Aug. 2012), 491–506. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis

Google Scholar

[2]

S.-R. K. N. Davuth. 2013. Classification of malicious domain names using support vector machine and bi-gram method. International Journal of Security and Its Applications 7, 1(2013), 51–58.

Google Scholar

[3]

J. Lee J. Kwon, H. Lee, and A. Perrig. 2016. PsyBoG: A scalable botnet detection method for large-scale DNS traffic. Computer Networks (2016), 48–73.

Google Scholar

[4]

I. Nikolaev M. Grill and M. Rehak V. Valeros. 2015. Detecting DGA malware using NetFlow. Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015), 1304––1309.

Crossref

Google Scholar

[5]

Hieu Mac, Duc Tran, Van Tong, Linh Giang Nguyen, and Hai Anh Tran. 2017. DGA Botnet Detection Using Supervised Learning Methods. SoICT 2017: Proceedings of the Eighth International Symposium on Information and Communication Technology(2017), 211–218. https://doi.org/10.1145/3155133.3155166

Digital Library

Google Scholar

[6]

Miranda Mowbray and Josiah Hagen. 2014. Finding Domain-Generation Algorithms by Looking at Length Distribution. In 2014 IEEE International Symposium on Software Reliability Engineering Workshops. 395–400. https://doi.org/10.1109/ISSREW.2014.20

Digital Library

Google Scholar

[7]

Roberto Perdisci, Igino Corona, and Giorgio Giacinto. 2012. Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis. IEEE Transactions on Dependable and Secure Computing 9, 5 (2012), 714–726. https://doi.org/10.1109/TDSC.2012.35

Digital Library

Google Scholar

[8]

Federico Maggi Stefano Schiavoni, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based Botnet Tracking and Intelligence. Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(2014), 192–211.

Crossref

Google Scholar

[9]

Duc Tran, Hieu Mac, Van Tong, Hai Anh Tran, and Linh Giang Nguyen. 2017. A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing (2017). https://doi.org/10.1016/j.neucom.2017.11.018

Crossref

Google Scholar

[10]

Tong Anh Tuan, Hoang Viet Long, and David Taniar. 2022. On Detecting and Classifying DGA Botnets and their Families. Computers & Security 113 (2022), 102549. https://doi.org/10.1016/j.cose.2021.102549

Digital Library

Google Scholar

[11]

Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant. 2016. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. https://doi.org/10.48550/ARXIV.1611.00791

Crossref

Google Scholar

Cited By

View all

Meng XLang BYan YLiu Y(2025)Deeply fused flow and topology features for botnet detection based on a pretrained GCNComputer Communications10.1016/j.comcom.2025.108084(108084)Online publication date: Jan-2025
https://doi.org/10.1016/j.comcom.2025.108084
Harishkumar SBhuvaneswaran R(2024)Unveiling Domain Generation Algorithms in DNS Log Traffic: A Next-Generation Intelligent Framework for Dynamic Anomaly Detection and Mitigation through Machine Learning Analysis2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10726248(1-7)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10726248

Recommendations

DGA Botnet Detection Using Supervised Learning Methods
SoICT '17: Proceedings of the 8th International Symposium on Information and Communication Technology

Modern botnets are based on Domain Generation Algorithms (DGAs) to build a resilient communication between bots and Command and Control (C&C) server. The basic aim is to avoid blacklisting and evade the Intrusion Protection Systems (IPS). Given the ...
Detecting DGA domains with recurrent neural networks and side information
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command ...
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent Systems

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...

Comments

Information & Contributors

Information

Published In

SoICT '22: Proceedings of the 11th International Symposium on Information and Communication Technology

December 2022

474 pages

ISBN:9781450397254

DOI:10.1145/3568562

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SoICT 2022

SoICT 2022: The 11th International Symposium on Information and Communication Technology

December 1 - 3, 2022

Hanoi, Vietnam

Acceptance Rates

Overall Acceptance Rate 147 of 318 submissions, 46%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
89
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)2

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Meng XLang BYan YLiu Y(2025)Deeply fused flow and topology features for botnet detection based on a pretrained GCNComputer Communications10.1016/j.comcom.2025.108084(108084)Online publication date: Jan-2025
https://doi.org/10.1016/j.comcom.2025.108084
Harishkumar SBhuvaneswaran R(2024)Unveiling Domain Generation Algorithms in DNS Log Traffic: A Next-Generation Intelligent Framework for Dynamic Anomaly Detection and Mitigation through Machine Learning Analysis2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10726248(1-7)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10726248

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Abstract

References

Cited By

Recommendations

DGA Botnet Detection Using Supervised Learning Methods

Detecting DGA domains with recurrent neural networks and side information

DGA-based malware detection using DNS traffic analysis

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

HTML Format

Share

Share this Publication link

Share on social media

Affiliations