Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

A crucial technical challenge for cybercriminals is to keep control over the potentially millions of infected devices that build up their botnets, without compromising the robustness of their attacks. A single, fixed C&C server, for example, can be trivially detected either by binary or traffic analysis and immediately sink-holed or taken-down by security researchers or law enforcement. Botnets often use Domain Generation Algorithms (DGAs), primarily to evade take-down mechanisms. DGAs enlarge the lifespan of a malware campaign, thus enhancing its profitability. They can also contribute to hardening attack attribution. In this work, we introduce HYDRA the most comprehensive and complete available dataset of Algorithmically-Generated Domains (AGD). The dataset contains more than 100 DGA families, including both real-world and adversarial ones. We analyse the dataset and discuss the possibility of differentiating between benign requests (to real domains) and malicious ones (to AGDs) in real-time. The simultaneous study of so many families and variants introduces several challenges; nonetheless, it alleviates biases found in previous literature that deals with small datasets and exploit some characteristic features of particular families. To this end, we thoroughly compare our approach with the current state-of-the-art and highlight some methodological shortcomings in the actual state of practice. The outcomes obtained show that our method significantly outperforms the current state-of-the-art in terms of both accuracy and efficiency.Comment: The dataset of this paper can be found in https://zenodo.org/record/396539