Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article
In: Expert Systems with Applications, vol. 124, pp. 156–163, 2019, ISSN: 0957-4174.
Abstract | Links | BibTeX | Tags: Domain-generated algorithms, malware, Random Forest
@article{SRS-ESWA-19,
title = {Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ESWA-19.pdf},
doi = {10.1016/j.eswa.2019.01.050},
issn = {0957-4174},
year = {2019},
date = {2019-01-01},
journal = {Expert Systems with Applications},
volume = {124},
pages = {156--163},
abstract = {Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.},
keywords = {Domain-generated algorithms, malware, Random Forest},
pubstate = {published},
tppubtype = {article}
}
Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.