< Back to previous page

Publication

Detection of algorithmically generated domain names used by botnets: a dual arms race.

Book Contribution - Book Chapter Conference Contribution

Malware typically uses Domain Generation Algorithms (DGAs) as a mechanism to contact their Command and Control server. In recent years, different approaches to automatically detect generated domain names have been proposed, based on machine learning. The first problem that we address is the difficulty to systematically compare these DGA detection algorithms due to the lack of an independent benchmark. The second problem that we investigate is the difficulty for an adversary to circumvent these classifiers when the machine learning models backing these DGA-detectors are known. In this paper we compare two different approaches on the same set of DGAs: classical machine learning using manually engineered features and a ‘deep learning’ recurrent neural network. We show that the deep learning approach performs consistently better on all of the tested DGAs, with an average classification accuracy of 98.7% versus 93.8% for the manually engineered features. We also show that one of the dangers of manual feature engineering is that DGAs can adapt their strategy, based on knowledge of the features used to detect them. To demonstrate this, we use the knowledge of the used feature set to design a new DGA which makes the random forest classifier powerless with a classification accuracy of 59.9%. The deep learning classifier is also (albeit less) affected, reducing its accuracy to 85.5%.
Book: Proceedings of the 34rd ACM/SIGAPP Symposium On Applied Computing
Pages: 1916 - 1923
Number of pages: 8
ISBN:978-1-4503-5933-7
Publication year:2019
BOF-keylabel:yes
IOF-keylabel:yes
Authors from:Private, Higher Education
Accessibility:Open