Abstract
To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis and Torpig, use Domain Generation Algorithm (DGA) to produce a large number of random domain names dynamically. Then a small subset of these domain names would be selected for actual C&C. Compared with normal domain names, these domain names generated by DGA have significant difference in length, character frequency, etc. Current researches mainly use clustering-classification methods to Detect abnormal domain name. Some of them use NXDomain traffic clustering, other researches based on the classification of string features, such as the distribution of alphanumeric characters and bigram. In fact, domain name has strict hierarchy and each domain level has particular regularities. In this paper, the hierarchical characteristic is introduced into the detection process. We divide the domain name into distinct levels and calculate the characteristic value separately. In each level, we use entropy, bigram and length detections. Because of different efficiency in levels, we design the weigh for each level based on their efficiency. Finally, the level characteristic value of domain name is the weighted average value of levels. Our experiments show that the accuracy of the level-based method is higher than 94 %.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Domain generation algorithm. http://en.wikipedia.org/wiki/Domain_generation_algorithm
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, pp. 635–647. ACM, New York (2009)
Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC ’10, pp. 48–61. ACM, New York (2010)
Yadav, S., Narasimha Reddy, A.L.: Winning with DNS Failures: strategies for faster botnet detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 446–459. Springer, Heidelberg (2012)
Villamarin-Salomon, R., Brustoloni, J.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: 5th Consumer Communications and Networking Conference (2008)
Domain name. http://en.wikipedia.org/wiki/Domain_Name
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, Y., Zhang, Y., Xiao, J. (2014). Detecting the DGA-Based Malicious Domain Names. In: Yuan, Y., Wu, X., Lu, Y. (eds) Trustworthy Computing and Services. ISCTCS 2013. Communications in Computer and Information Science, vol 426. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43908-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-662-43908-1_17
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43907-4
Online ISBN: 978-3-662-43908-1
eBook Packages: Computer ScienceComputer Science (R0)