Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

Lucas Torrealba; P Casas-Hernandez; Javier Bustos-Jiménez; Germán Capdehourat; Mislav Findrik

Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

Lucas Torrealba (Author and Speaker), P Casas-Hernandez, Javier Bustos-Jiménez, Germán Capdehourat, Mislav Findrik

Data Science & Artifical Intelligence

Research output: Chapter in Book or Conference Proceedings › Conference Proceedings with Oral Presentation › peer-review

Abstract

Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches.

Original language	English
Title of host publication	Proceedings of the 7th Network Traffic Measurement and Analysis Conference
Pages	1-4
Number of pages	4
ISBN (Electronic)	978-3-903176-58-4
Publication status	Published - 7 Aug 2023
Event	Network Traffic Measurement and Analysis Conference - University of Napoli Federico II, Napoli, Italy Duration: 26 Jun 2023 → 29 Jun 2023 Conference number: 7 https://tma.ifip.org/2023/

Conference

Conference	Network Traffic Measurement and Analysis Conference
Abbreviated title	TMA 2023
Country/Territory	Italy
City	Napoli
Period	26/06/23 → 29/06/23
Internet address	https://tma.ifip.org/2023/

Research Field

Former Research Field - Data Science

Access to Document

https://opendl.ifip-tc6.org/db/conf/tma/tma2023/tma2023-extended-abstract-paper1.pdf

Cite this

Torrealba, L., Casas-Hernandez, P., Bustos-Jiménez, J., Capdehourat, G., & Findrik, M. (2023). Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML. In Proceedings of the 7th Network Traffic Measurement and Analysis Conference (pp. 1-4) https://opendl.ifip-tc6.org/db/conf/tma/tma2023/tma2023-extended-abstract-paper1.pdf

@inproceedings{27f51758389c429d89717b4154c50267,

title = "Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML",

abstract = "Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches. ",

author = "Lucas Torrealba and P Casas-Hernandez and Javier Bustos-Jim{\'e}nez and Germ{\'a}n Capdehourat and Mislav Findrik",

year = "2023",

month = aug,

day = "7",

language = "English",

pages = "1--4",

booktitle = "Proceedings of the 7th Network Traffic Measurement and Analysis Conference",

note = "Network Traffic Measurement and Analysis Conference, TMA 2023 ; Conference date: 26-06-2023 Through 29-06-2023",

url = "https://tma.ifip.org/2023/",

}

Torrealba, L, Casas-Hernandez, P, Bustos-Jiménez, J, Capdehourat, G & Findrik, M 2023, Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML. in Proceedings of the 7th Network Traffic Measurement and Analysis Conference. pp. 1-4, Network Traffic Measurement and Analysis Conference, Napoli, Italy, 26/06/23. <https://opendl.ifip-tc6.org/db/conf/tma/tma2023/tma2023-extended-abstract-paper1.pdf>

Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML. / Torrealba, Lucas (Author and Speaker); Casas-Hernandez, P; Bustos-Jiménez, Javier et al.
Proceedings of the 7th Network Traffic Measurement and Analysis Conference. 2023. p. 1-4.

Research output: Chapter in Book or Conference Proceedings › Conference Proceedings with Oral Presentation › peer-review

TY - GEN

T1 - Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

AU - Casas-Hernandez, P

AU - Bustos-Jiménez, Javier

AU - Capdehourat, Germán

AU - Findrik, Mislav

A2 - Torrealba, Lucas

N1 - Conference code: 7

PY - 2023/8/7

Y1 - 2023/8/7

N2 - Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches.

AB - Timely identfication of DNS queries to Domain Generation Alogorithm (DGA) domains is crucial to limit malware propagation and its potential impact, particularly to prevent coordinated activites of botnets. We explore an approach for swift detection of DGA-generated domains by analyzing lexicographic features exclusively derived from the domain name as observed in DNS query. We propose a reputation-based scoring system for domain names, based on the co-occurrence frequency of n-grams with respect to a list of well-known benign domains or whitelist. We further extract meaningful features from domain names and employ machine learing techniques to enhance detection performance. Experimental results on detecting 25 different families of DGA domains reveal that combining reputation scores with other basic lexicographic features largely outperforms current state of the art approaches.

M3 - Conference Proceedings with Oral Presentation

SP - 1

EP - 4

BT - Proceedings of the 7th Network Traffic Measurement and Analysis Conference

T2 - Network Traffic Measurement and Analysis Conference

Y2 - 26 June 2023 through 29 June 2023

ER -

Not all DGAs are Born the Same - Improving Lexicographic based Detection of DGA Domains through AI/ML

Abstract

Conference

Research Field

Access to Document

Fingerprint

Cite this