Abstract
In order to stay undetected and keep their operations alive, cyber criminals are continuously evolving their methods to stay ahead of current best defense practices. Over the past decade, botnets have developed from using statically hardcoded IP addresses and domain names to randomly-generated ones, so-called domain generation algorithms (DGA). Malicious software coordinated via DGAs leaves however a distinctive signature in network traces of high entropy domain names, and a variety of algorithms have been introduced to detect certain aspects about currently used DGAs.
In this paper, we look ahead and evaluate the utility of today's detection mechanisms if botnets make the next obvious evolutionary step, and replace domain names generated from random letters with randomly selected, but actual dictionary words. We find that the performance of state-of-the-art solutions that rely on linguistic feature detection would significantly decline after this transition, and discuss an alternative novel approach to detect DGAs without making any assumptions on the internal structure and generating patterns of these algorithms.
In this paper, we look ahead and evaluate the utility of today's detection mechanisms if botnets make the next obvious evolutionary step, and replace domain names generated from random letters with randomly selected, but actual dictionary words. We find that the performance of state-of-the-art solutions that rely on linguistic feature detection would significantly decline after this transition, and discuss an alternative novel approach to detect DGAs without making any assumptions on the internal structure and generating patterns of these algorithms.
| Original language | English |
|---|---|
| Title of host publication | ARES 2017 |
| Subtitle of host publication | Proceedings of the 12th International Conference on Availability, Reliability and Security |
| Place of Publication | New York, NY |
| Publisher | Association for Computing Machinery (ACM) |
| Pages | 1-8 |
| Number of pages | 8 |
| ISBN (Electronic) | 978-1-4503-5257-4 |
| DOIs | |
| Publication status | Published - 2017 |
| Event | ARES 2017: 12th International Conference on Availability, Reliability and Security - Reggio Calabria, Italy Duration: 29 Aug 2017 → 1 Sept 2017 Conference number: 12 |
Conference
| Conference | ARES 2017 |
|---|---|
| Country/Territory | Italy |
| City | Reggio Calabria |
| Period | 29/08/17 → 1/09/17 |
Keywords
- malware
- domain-generation-algorithm
- threat intelligence