Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

Lucas Torrealba; P Casas-Hernandez; Javier Bustos-Jiménez; Germán Capdehourat; Mislav Findrik

Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

Lucas Torrealba (Autor:in und Vortragende:r), P Casas-Hernandez, Javier Bustos-Jiménez, Germán Capdehourat, Mislav Findrik

Data Science & Artifical Intelligence

Publikation: Beitrag in Buch oder Tagungsband › Vortrag mit Beitrag in Tagungsband › Begutachtung

Abstract

Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches.

Originalsprache	Englisch
Titel	Proceedings of the 7th Network Traffic Measurement and Analysis Conference
Seiten	1-4
Seitenumfang	4
ISBN (elektronisch)	978-3-903176-58-4
Publikationsstatus	Veröffentlicht - 7 Aug. 2023
Veranstaltung	Network Traffic Measurement and Analysis Conference - University of Napoli Federico II, Napoli, Italien Dauer: 26 Juni 2023 → 29 Juni 2023 Konferenznummer: 7 https://tma.ifip.org/2023/

Konferenz

Konferenz	Network Traffic Measurement and Analysis Conference
Kurztitel	TMA 2023
Land/Gebiet	Italien
Stadt	Napoli
Zeitraum	26/06/23 → 29/06/23
Internetadresse	https://tma.ifip.org/2023/

Research Field

Ehemaliges Research Field - Data Science

Zugriff auf Dokument

https://opendl.ifip-tc6.org/db/conf/tma/tma2023/tma2023-extended-abstract-paper1.pdf

Diese Publikation zitieren

Torrealba, L., Casas-Hernandez, P., Bustos-Jiménez, J., Capdehourat, G., & Findrik, M. (2023). Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML. in Proceedings of the 7th Network Traffic Measurement and Analysis Conference (S. 1-4) https://opendl.ifip-tc6.org/db/conf/tma/tma2023/tma2023-extended-abstract-paper1.pdf

@inproceedings{27f51758389c429d89717b4154c50267,

title = "Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML",

abstract = "Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches. ",

author = "Lucas Torrealba and P Casas-Hernandez and Javier Bustos-Jim{\'e}nez and Germ{\'a}n Capdehourat and Mislav Findrik",

year = "2023",

month = aug,

day = "7",

language = "English",

pages = "1--4",

booktitle = "Proceedings of the 7th Network Traffic Measurement and Analysis Conference",

note = "Network Traffic Measurement and Analysis Conference, TMA 2023 ; Conference date: 26-06-2023 Through 29-06-2023",

url = "https://tma.ifip.org/2023/",

}

Torrealba, L, Casas-Hernandez, P, Bustos-Jiménez, J, Capdehourat, G & Findrik, M 2023, Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML. in Proceedings of the 7th Network Traffic Measurement and Analysis Conference. S. 1-4, Network Traffic Measurement and Analysis Conference, Napoli, Italien, 26/06/23. <https://opendl.ifip-tc6.org/db/conf/tma/tma2023/tma2023-extended-abstract-paper1.pdf>

Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML. / Torrealba, Lucas (Autor:in und Vortragende:r); Casas-Hernandez, P; Bustos-Jiménez, Javier et al.
Proceedings of the 7th Network Traffic Measurement and Analysis Conference. 2023. S. 1-4.

Publikation: Beitrag in Buch oder Tagungsband › Vortrag mit Beitrag in Tagungsband › Begutachtung

TY - GEN

T1 - Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

AU - Casas-Hernandez, P

AU - Bustos-Jiménez, Javier

AU - Capdehourat, Germán

AU - Findrik, Mislav

A2 - Torrealba, Lucas

N1 - Conference code: 7

PY - 2023/8/7

Y1 - 2023/8/7

N2 - Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches.

AB - Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches.

M3 - Conference Proceedings with Oral Presentation

SP - 1

EP - 4

BT - Proceedings of the 7th Network Traffic Measurement and Analysis Conference

T2 - Network Traffic Measurement and Analysis Conference

Y2 - 26 June 2023 through 29 June 2023

ER -

Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

Abstract

Konferenz

Research Field

Zugriff auf Dokument

Fingerprint

Diese Publikation zitieren