Detection of information system objects interaction with DGA domains

Cover Page

Cite item

Full Text

Abstract

Currently, malware developers are actively using domain name generation technique called DGA to establish communication between malware and its command centers. Domain name generation in accordance with a given algorithm allows malicious software to bypass information protection tools blacklists, thus making blacklists ineffective, and establish a communication channel to receive control commands and parameters, as well as to transfer information from the information system to external resources controlled by the attackers. Thus, it is necessary to develop new approaches to DGA generated domain names detection using DNS traffic of an information system.

During the research, the authors have developed a solution for detecting the information system objects interaction with DGA domains based on the use of machine learning. Detection of this interaction occurs in two stages. On the first stage the classification task is being solved for each DNS name from overall information system DNS stream. On the second stage, for each DNS name classified as a DGA, corresponding DNS query is being enriched using data from external sources and a final decision about the malicious nature of the request to resolve this DNS name is being made, followed by notification of the security administrator via e-mail channels.

The paper describes the process of developing a classifier based on machine learning, defines the input data of the DNS name necessary for classification, presents the results of classifier training on a representative set of test data. The logic of making a decision about the malicious nature of DNS requests has been substantiated. The developed solution was tested using experimental stand. Recommendations for correct classifier operation support are proposed.

Application of the developed solution will make a posteriori detection of information interaction of malicious software working on compromised objects of the information system with the servers of the attackers command and control centers possible.

About the authors

Vadim G. Zhukov

Reshetnev Siberian State University of Science and Technology

Email: zhukov@mail.sibsau.ru

Cand. Sc., Associate Professor at the Department of Information Technology Security

Russian Federation, 31, Krasnoyarskii rabochii prospekt, Krasnoyarsk, 660037

Yan V. Pigalev

Reshetnev Siberian State University of Science and Technology

Author for correspondence.
Email: pigalevyan1998@mail.ru

Master’s Degree Student

Russian Federation, 31, Krasnoyarskii rabochii prospekt, Krasnoyarsk, 660037

References

  1. Spamhaus Botnet Threat Report 2019. Available at: https://www.spamhaus.org/news/article/ 793/spamhaus-botnet-threat-report-2019 (accessed: 02.02.2020).
  2. Threat Brief: Understanding Domain Generation Algorithms (DGA). Available at: https://
  3. unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/ (acces-sed: 05.08.2020).
  4. Sivaguru R., Choudhary C. An Evaluation of DGA Classifiers. IEEE International conference on Big Data, Seattle, USA, 2018, P. 5058–5067.
  5. Scikit-learn: machine learning in Python. Available at: https://scikit-learn.org/stable (accessed: 03.01.2020).
  6. Li Y., Xiong K. Machine Learning Framework for Domain Generation Algorithm-Based Malware Detection. IEEE Access, 2019, P. 32765–32782.
  7. Anderson H. S., Woodbridge J. DeepDGA: Adversarially – Tuned Domain Generation and Detection. Proceedings of the 2016 ACM Workshop and Artificial Intelligence and Security, 2016, P. 13–21.
  8. Anderson H. S., Woodbridge J. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Endgame, Inc, 2016, 13 p.
  9. Gupta B., Sheng M. Machine Learning for Computer and Cyber Security: Principles, Algorithms, and Practices. Taylor and Francis Group, 2019, 364 p.
  10. Alazab M., Tang M. Deep Learning Applications for Cyber Security. Springer Nature Switzerland, 2019, 246 p.
  11. Top 10 million Websites based on Open data from Common Crawl & Common Search. Available at: https://www.domcop.com/top-10-million-websites (accessed 03.02.2020).
  12. Bambenek Consulting. Available at: http://osint.bambenekconsulting.com/feeds/dga-feed.txt (accessed 16.01.2020).
  13. Wang Z., Jia Z. A Detection Scheme for DGA Domain Names. SVM Proceedings of the 2018 International Conference on Mathematics, Modelling, Simulation and Algorithms, New York, USA, 2018, P. 257–263.
  14. Bilge L., Kirda E. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. Proceedings of the Network and Distributed System Security Symposium, San Diego, USA, 2011, 17 p.
  15. Plohmann D., Yakdan K. A Comprehensive Measurement Study of Domain Generating Malware. Proceedings of the 25th USENIX Security Symposium, Austin, USA, 2016, P. 263–278.
  16. Why Machine Learning Models Degrade in Production. Available at: https://towardsdatascience.com/why-machine-learning-models-degrade-in-production-d0f2108e9214 (accessed 25.05.2020)

Supplementary files

Supplementary Files
Action
1. JATS XML
Download

Copyright (c) 2021 Zhukov V.G., Pigalev Y.V.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

This website uses cookies

You consent to our cookies if you continue to use our website.

About Cookies