Detection of information system objects interaction with DGA domains

Currently, malware developers are actively using domain name generation technique called DGA to establish communication between malware and its command centers. Domain name generation in accordance with a given algorithm allows malicious software to bypass information protection tools blacklists, thus making blacklists ineffective, and establish a communication channel to receive control commands and parameters, as well as to transfer information from the information system to external resources controlled by the attackers. Thus, it is necessary to develop new approaches to DGA generated domain names detection using DNS traffic of an information system. During the research, the authors have developed a solution for detecting the information system objects interaction with DGA domains based on the use of machine learning. Detection of this interaction occurs in two stages. On the first stage the classification task is being solved for each DNS name from overall information system DNS stream. On the second stage, for each DNS name classified as a DGA, corresponding DNS query is being enriched using data from external sources and a final decision about the malicious nature of the request to resolve this DNS name is being made, followed by notification of the security administrator via e-mail channels. The paper describes the process of developing a classifier based on machine learning, defines the input data of the DNS name necessary for classification, presents the results of classifier training on a representative set of test data. The logic of making a decision about the malicious nature of DNS requests has been substantiated. The developed solution was tested using experimental stand. Recommendations for correct classifier operation support are proposed. Application of the developed solution will make a posteriori detection of information interaction of malicious software working on compromised objects of the information system with the servers of the attackers command and control centers possible.