More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings

Lucas  Torrealba; Pedro Casas-Hernandez; Javier Bustos-Jiménez; Mislav  Findrik

doi:10.23919/TMA62044.2024.10559115

More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings

Lucas Torrealba, Pedro Casas-Hernandez (Autor:in und Vortragende:r), Javier Bustos-Jiménez, Mislav Findrik

Data Science & Artifical Intelligence

Publikation: Beitrag in Buch oder Tagungsband › Beitrag in Tagungsband mit Posterpräsentation › Begutachtung

Abstract

The rapid detection of Domain Generation Algorithm (DGA) and general phishing domains plays a critical role in mitigating malware propagation and its potential impact, as well as in limiting botnet activity coordination through command and control (C&C) servers. We assess a learning driven approach for accurate detection of DGA-generated and phishing domains, leveraging word embeddings learned from observed domain names in DNS queries or browsing URLs. Domain embeddings are constructed with Dom2Vec (D2V), a novel technique which builds on top of word embedding models (e.g., Word2Vec) to map words and tokens extracted from domain names into highly expressive representations. Through experimental evaluation on a large-scale dataset of almost 800,000 domains, comprising 25 distinct families of DGA domains and general phishing URLs, we demonstrate the goodness of D2V embeddings for phishing detection, in particular for the detection of DGAs.

Originalsprache	Englisch
Titel	2024 8th Network Traffic Measurement and Analysis Conference (TMA)
Seiten	1-4
Seitenumfang	4
ISBN (elektronisch)	978-3-903176-64-5
DOIs	https://doi.org/10.23919/TMA62044.2024.10559115
Publikationsstatus	Veröffentlicht - 20 Juni 2024
Veranstaltung	2024 8th Network Traffic Measurement and Analysis Conference (TMA) - Dresden, Dresden, Deutschland Dauer: 21 Mai 2024 → 24 Mai 2024

Konferenz

Konferenz	2024 8th Network Traffic Measurement and Analysis Conference (TMA)
Land/Gebiet	Deutschland
Stadt	Dresden
Zeitraum	21/05/24 → 24/05/24

Research Field

Multimodal Analytics

Zugriff auf Dokument

10.23919/TMA62044.2024.10559115Lizenz: Nicht angegeben

Diese Publikation zitieren

@inbook{7415aa2de55b411e8fad4c0f1be9f7d4,

title = "More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings",

abstract = "The rapid detection of Domain Generation Algorithm (DGA) and general phishing domains plays a critical role in mitigating malware propagation and its potential impact, as well as in limiting botnet activity coordination through command and control (C&C) servers. We assess a learning driven approach for accurate detection of DGA-generated and phishing domains, leveraging word embeddings learned from observed domain names in DNS queries or browsing URLs. Domain embeddings are constructed with Dom2Vec (D2V), a novel technique which builds on top of word embedding models (e.g., Word2Vec) to map words and tokens extracted from domain names into highly expressive representations. Through experimental evaluation on a large-scale dataset of almost 800,000 domains, comprising 25 distinct families of DGA domains and general phishing URLs, we demonstrate the goodness of D2V embeddings for phishing detection, in particular for the detection of DGAs.",

author = "Lucas Torrealba and Pedro Casas-Hernandez and Javier Bustos-Jim{\'e}nez and Mislav Findrik",

year = "2024",

month = jun,

day = "20",

doi = "10.23919/TMA62044.2024.10559115",

language = "English",

isbn = "979-8-3503-7888-7",

pages = "1--4",

booktitle = "2024 8th Network Traffic Measurement and Analysis Conference (TMA)",

note = "2024 8th Network Traffic Measurement and Analysis Conference (TMA) ; Conference date: 21-05-2024 Through 24-05-2024",

}

Torrealba, L, Casas-Hernandez, P, Bustos-Jiménez, J & Findrik, M 2024, More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings. in 2024 8th Network Traffic Measurement and Analysis Conference (TMA). S. 1-4, 2024 8th Network Traffic Measurement and Analysis Conference (TMA), Dresden, Sachsen, Deutschland, 21/05/24. https://doi.org/10.23919/TMA62044.2024.10559115

More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings. / Torrealba, Lucas ; Casas-Hernandez, Pedro (Autor:in und Vortragende:r); Bustos-Jiménez, Javier et al.
2024 8th Network Traffic Measurement and Analysis Conference (TMA). 2024. S. 1-4.

Publikation: Beitrag in Buch oder Tagungsband › Beitrag in Tagungsband mit Posterpräsentation › Begutachtung

TY - CHAP

T1 - More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings

AU - Torrealba, Lucas

AU - Bustos-Jiménez, Javier

AU - Findrik, Mislav

A2 - Casas-Hernandez, Pedro

PY - 2024/6/20

Y1 - 2024/6/20

N2 - The rapid detection of Domain Generation Algorithm (DGA) and general phishing domains plays a critical role in mitigating malware propagation and its potential impact, as well as in limiting botnet activity coordination through command and control (C&C) servers. We assess a learning driven approach for accurate detection of DGA-generated and phishing domains, leveraging word embeddings learned from observed domain names in DNS queries or browsing URLs. Domain embeddings are constructed with Dom2Vec (D2V), a novel technique which builds on top of word embedding models (e.g., Word2Vec) to map words and tokens extracted from domain names into highly expressive representations. Through experimental evaluation on a large-scale dataset of almost 800,000 domains, comprising 25 distinct families of DGA domains and general phishing URLs, we demonstrate the goodness of D2V embeddings for phishing detection, in particular for the detection of DGAs.

AB - The rapid detection of Domain Generation Algorithm (DGA) and general phishing domains plays a critical role in mitigating malware propagation and its potential impact, as well as in limiting botnet activity coordination through command and control (C&C) servers. We assess a learning driven approach for accurate detection of DGA-generated and phishing domains, leveraging word embeddings learned from observed domain names in DNS queries or browsing URLs. Domain embeddings are constructed with Dom2Vec (D2V), a novel technique which builds on top of word embedding models (e.g., Word2Vec) to map words and tokens extracted from domain names into highly expressive representations. Through experimental evaluation on a large-scale dataset of almost 800,000 domains, comprising 25 distinct families of DGA domains and general phishing URLs, we demonstrate the goodness of D2V embeddings for phishing detection, in particular for the detection of DGAs.

U2 - 10.23919/TMA62044.2024.10559115

DO - 10.23919/TMA62044.2024.10559115

M3 - Conference Proceedings with Poster Presentation

SN - 979-8-3503-7888-7

SP - 1

EP - 4

BT - 2024 8th Network Traffic Measurement and Analysis Conference (TMA)

T2 - 2024 8th Network Traffic Measurement and Analysis Conference (TMA)

Y2 - 21 May 2024 through 24 May 2024

ER -

More than Words is What you Need - Detecting DGA and Phishing Domains with Dom2Vec Word Embeddings

Abstract

Konferenz

Research Field

Zugriff auf Dokument

Fingerprint

Diese Publikation zitieren