Detection of Algorithmically Generated Domain Names in Botnets
Authors | |
---|---|
Year of publication | 2020 |
Type | Article in Proceedings |
Conference | Advanced Information Networking and Applications, AINA 2019 |
MU Faculty or unit | |
Citation | |
Doi | http://dx.doi.org/10.1007/978-3-030-15032-7_107 |
Keywords | Domain name system; Domain generations algorithms; Botnets; Command and control servers |
Description | Botnets pose a major threat to the information security of organizations and individuals. The bots (malware infected hosts) receive commands and updates from the Command and Control (C&C) servers, and hence, contacting and communicating with these servers is an essential requirement of bots. However, once a malware is identified in the infected host, it is easy to find its C&C server and block it, if the domain names of the servers are hard-coded in the malware. To counter such detection, many malwares families use probabilistic algorithms known as domain generation algorithms (DGAs) to generate domain names for the C&C servers. This makes it difficult to track down the C&C servers of the Botnet even after the malware is identified. In this paper, we propose a probabilistic approach for the identification of domain names which are likely to be generated by a malware using DGA. The proposed solution is based on the hypothesis that human generated domain names are usually inspired by the words from a particular language (say English), whereas DGA generated domain names should contain random sub-strings in it. Results show that the percentage of false negatives in the detection of DGA generated domain names using the proposed method is less than 29% across 30 DGA families considered by us in our experimentation. |
Related projects: |