On the use of DGAs in malware: an everlasting competition of detection and evasion

Malware typically makes use of Domain Generation Algorithms (DGAs) as a mechanism to contact their Command and Control server. In recent years, different approaches to automatically detect generated domain names have been proposed, based on machine learning. The first problem that we address is the difficulty to systematically compare these DGA detection algorithms due to the lack of an independent benchmark. The second problem that we investigate is the difficulty for an adversary to circumvent these classifiers when the machine learning models backing these DGA-detectors are known. In this paper we compare two different approaches on the same set of DGAs: classical machine learning using manually engineered features and a ‘deep learning’ recurrent neural network. We show that the deep learning approach performs consistently better on all of the tested DGAs, with an average classification accuracy of 98.7% versus 93.8% for the manually engineered features. We demonstrate that the deep learning solution yields better results even when only 10,000 malicious samples are available. We also show that one of the dangers of manual feature engineering is that DGAs can adapt their strategy, based on knowledge of the features used to detect them. To demonstrate this, we use the knowledge of the used feature set to design a new DGA which makes the Random Forest classifier powerless with a classification accuracy of 57.3%. The deep learning classifier is also (albeit less) affected, reducing its accuracy to 78.9%.

Jaar van publicatie:2019

Toegankelijkheid:Open