3 research outputs found
Encrypted and Covert DNS Queries for Botnets: Challenges and Countermeasures
There is a continuous increase in the sophistication that modern malware
exercise in order to bypass the deployed security mechanisms. A typical
approach to evade the identification and potential take down of a botnet
command and control server is domain fluxing through the use of Domain
Generation Algorithms (DGAs). These algorithms produce a vast amount of
domain names that the infected device tries to communicate with to find the
C&C server, yet only a small fragment of them is actually registered. This
allows the botmaster to pivot the control and make the work of seizing the
botnet control rather difficult.
Current state of the art and practice considers that the DNS queries performed by a compromised device are transparent to the network administrator and therefore can be monitored, analysed, and blocked. In this work, we
showcase that the latter is a strong assumption as malware could efficiently
hide its DNS queries using covert and/or encrypted channels bypassing the
detection mechanisms. To this end, we discuss possible mitigation measures
based on traffic analysis to address the new challenges that arise from this
approach
Bidirectional LSTM models for DGA classification
The paper describes our submission to the shared task on DGA classification at DMD 2018. The approach is based on a Deep Learning architecture using bidirectional LSTM neural networks. Similar models are used in both the tasks, the first one is to identify the DGA generated domain name and the second one is to detect and categorize the DGA generated domain name to their botnet family