Detection of information system objects interaction with DGA domains
Автор: Zhukov V.G., Pigalev Y.V.
Журнал: Siberian Aerospace Journal @vestnik-sibsau-en
Рубрика: Informatics, computer technology and management
Статья в выпуске: 3 vol.22, 2021 года.
Бесплатный доступ
Currently, malware developers are actively using domain name generation technique called DGA to es-tablish communication between malware and its command centers. Domain name generation in accord-ance with the given algorithm allows malicious software to bypass information protection tools blacklists, thus making blacklists ineffective, and establish a communication channel to receive control commands and parameters, as well as to transfer information from the information system to external resources con-trolled by attackers. Thus, it is necessary to develop new approaches to DGA generated domain names de-tection using DNS traffic of an information system. During the research, the authors have developed a solution for detecting information objects interaction with DGA domains based on the use of machine learning. The detection of this interaction occurs in two stages. On the first stage the classification task is being solved for each DNS name from overall infor-mation system DNS stream. On the second stage, for each DNS name classified as DGA, corresponding DNS query is being enriched using data from external sources and a final decision about the malicious nature of the query to resolve this DNS name is being made, followed by a notification of a security admin-istrator via e-mail channels. The paper describes the process of developing a classifier based on machine learning, defines the input data of the DNS name necessary for classification, presents the results of classifier training on a repre-sentative set of test data. The logic of making a decision about the malicious nature of DNS queries has been substantiated. The developed solution was tested using an experimental stand. Some recommenda-tions for correct classifier operation support are proposed. The application of the developed solution will make possible posteriori detection of information interac-tion of malicious software working on compromised information objects with the servers of attackers com-mand and control centers.
Information security, DNS, Domain Generation Algorithm
Короткий адрес: https://sciup.org/148329574
IDR: 148329574 | DOI: 10.31772/2712-8970-2021-22-3-414-424
Список литературы Detection of information system objects interaction with DGA domains
- Spamhaus Botnet Threat Report 2019. Available at: https://www.spamhaus.org/news/article/ 793/spamhaus-botnet-threat-report-2019 (accessed: 02.02.2020).
- Threat Brief: Understanding Domain Generation Algorithms (DGA). Available at: https:// unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/ (acces-sed: 05.08.2020).
- Sivaguru R., Choudhary C. An Evaluation of DGA Classifiers. IEEE International conference on Big Data, Seattle, USA, 2018, P. 5058–5067.
- Scikit-learn: machine learning in Python. Available at: https://scikit-learn.org/stable (accessed: 03.01.2020).
- Li Y., Xiong K. Machine Learning Framework for Domain Generation Algorithm-Based Mal-ware Detection. IEEE Access, 2019, P. 32765–32782.
- Anderson H. S., Woodbridge J. DeepDGA: Adversarially – Tuned Domain Generation and Detection. Proceedings of the 2016 ACM Workshop and Artificial Intelligence and Security, 2016, P. 13–21.
- Anderson H. S., Woodbridge J. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Endgame, Inc, 2016, 13 p.
- Gupta B., Sheng M. Machine Learning for Computer and Cyber Security: Principles, Algo-rithms, and Practices. Taylor and Francis Group, 2019, 364 p.
- Alazab M., Tang M. Deep Learning Applications for Cyber Security. Springer Nature Switzer-land, 2019, 246 p.
- Top 10 million Websites based on Open data from Common Crawl & Common Search. Avail-able at: https://www.domcop.com/top-10-million-websites (accessed 03.02.2020).
- Bambenek Consulting. Available at: http://osint.bambenekconsulting.com/feeds/dga-feed.txt (accessed 16.01.2020).
- Wang Z., Jia Z. A Detection Scheme for DGA Domain Names. SVM Proceedings of the 2018 International Conference on Mathematics, Modelling, Simulation and Algorithms, New York, USA, 2018, P. 257–263.
- Bilge L., Kirda E. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. Proceedings of the Network and Distributed System Security Symposium, San Diego, USA, 2011, 17 p.
- Plohmann D., Yakdan K. A Comprehensive Measurement Study of Domain Generating Mal-ware. Proceedings of the 25th USENIX Security Symposium, Austin, USA, 2016, P. 263–278.
- Why Machine Learning Models Degrade in Production. Available at: https://towardsdatascience.com/why-machine-learning-models-degrade-in-production-d0f2108e9214 (accessed 25.05.2020).
