A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this article, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers

An Approach for Identifying Malicious Domain Names Generated by Dictionary-Based DGA Bots

Computer networks are facing serious threats from the emergence of sophisticated new DGA bots. These DGA bots have their own dictionary, from which they concatenate words to dynamically generate domain names that are difficult to distinguish from human-generated domain names. In this letter, we propose an approach for identifying the callback communications of DGA bots based on relations among the words that constitute the character string of each domain name. Our evaluation indicates high performance, with a recall of 0.9977 and a precision of 0.9869

Implementación y evaluación de algoritmos de detección de botnets basados en técnicas DGA en la red de comunicación de un Instituto de Educación Superior (IES).

Con la constante evolución de las redes de telecomunicaciones y el aumento exponencial del tráfico en Internet, es necesario prevenir ataques informáticos cada vez más sofisticados. DGAs es una técnica que permite generar dominios maliciosos de forma automática y encubierta para controlar Bots y ejecutar estos ataques. Se propone implementar dos algoritmos de detección de Botnets basadas en DGAs: MaldomDetector y N-gramas enmascarados. Estos utilizan aprendizaje automático supervisado y se basan en la extracción de características léxicas y estadísticas de los nombres de dominio. Para llevar a cabo la detección de mAGDs, se utilizará el framework BNDF como base. Sin embargo, dado que BNDF no ofrece resultados en tiempo real, se desarrolló un módulo de detección temprana que en base a los algoritmos de detección seleccionados, optimiza el funcionamiento del framework. Se diseñaron distintos escenarios de prueba, en entornos controlados y en una red real. En los escenarios controlados, por medio de diversas métricas de evaluación se determinó el rendimiento de detección de los algoritmos. En las pruebas en redes reales, se analizaron las solicitudes DNS junto con las predicciones realizadas por los algoritmos, con el objetivo de evaluar la veracidad de las predicciones. Por último, se evaluó el uso de los recursos computacionales requeridos por cada algoritmo. N-gramas enmascarados demostró un excelente desempeño en términos de clasificación, con un valor de 85.09 % en todas las métricas. MaldomDetector mostró un mejor tiempo de procesamiento con 1.38 ms por dominio, convirtiéndose en la mejor opción para redes con recursos limitados.With the constant evolution of telecommunications networks and the exponential increase in Internet traffic, it is necessary to prevent increasingly sophisticated cyberattacks. DGAs is a technique that allows for the automatic and covert generation of malicious domains to control Bots and execute these attacks. It is proposed to implement two Botnets detection algorithms based on DGAs: MaldomDetector and masked N-grams. These algorithms use supervised machine learning and rely on the extraction of lexical and statistical features from domain names. To carry out the detection of mAGDs, the BNDF framework will be used as a base. However, as BNDF does not provide real-time results, an early detection module was developed to optimize the framework’s operation based on the selected detection algorithms. Different test scenarios were designed in controlled environments and on a real network. In the controlled scenarios, various evaluation metrics were used to determine the detection performance of the algorithms. In real network tests, DNS requests were analyzed alongside the predictions made by the algorithms, with the aim of evaluating the accuracy of the predictions. Finally, the computational resource usage required by each algorithm was evaluated. Masked N-grams demonstrated excellent performance in terms of classification, achieving a value of 85.09 % in all metrics. MaldomDetector showed a better processing time with 1.38 ms per domain, making it the best option for networks with limited resources.0000-0001-7644-02700000-0002-5274-666

Computer Aided Verification

This open access two-volume set LNCS 10980 and 10981 constitutes the refereed proceedings of the 30th International Conference on Computer Aided Verification, CAV 2018, held in Oxford, UK, in July 2018. The 52 full and 13 tool papers presented together with 3 invited papers and 2 tutorials were carefully reviewed and selected from 215 submissions. The papers cover a wide range of topics and techniques, from algorithmic and logical foundations of verification to practical applications in distributed, networked, cyber-physical, and autonomous systems. They are organized in topical sections on model checking, program analysis using polyhedra, synthesis, learning, runtime verification, hybrid and timed systems, tools, probabilistic systems, static analysis, theory and security, SAT, SMT and decisions procedures, concurrency, and CPS, hardware, industrial applications

Bowdoin Orient v.139, no.1-26 (2009-2010)

https://digitalcommons.bowdoin.edu/bowdoinorient-2010s/1000/thumbnail.jp