Detection of Algorithmically Generated Domain Names in Botnets

D 2020

Detection of Algorithmically Generated Domain Names in Botnets

VISHWAKARMA, Deepak Kumar, Ashutosh BHATIA and Zdeněk ŘÍHA

Basic information

Original name

Detection of Algorithmically Generated Domain Names in Botnets

Name in Czech

Detekce algoritmicky generovaných doménových jmen v botnetech

Authors

VISHWAKARMA, Deepak Kumar (356 India), Ashutosh BHATIA (356 India) and Zdeněk ŘÍHA (203 Czech Republic, belonging to the institution)

Edition

Cham, Switzerland, Advanced Information Networking and Applications, AINA 2019, p. 1279-1290, 12 pp. 2020

Publisher

Springer Nature Switzerland

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

Switzerland

Confidentiality degree

není předmětem státního či obchodního tajemství

Publication form

printed version "print"

RIV identification code

RIV/00216224:14330/20:00113963

Organization unit

Faculty of Informatics

ISBN

978-3-030-15031-0

ISSN

DOI

http://dx.doi.org/10.1007/978-3-030-15032-7_107

Keywords in English

Domain name system; Domain generations algorithms; Botnets; Command and control servers

Abstract

V originále

Botnets pose a major threat to the information security of organizations and individuals. The bots (malware infected hosts) receive commands and updates from the Command and Control (C&C) servers, and hence, contacting and communicating with these servers is an essential requirement of bots. However, once a malware is identified in the infected host, it is easy to find its C&C server and block it, if the domain names of the servers are hard-coded in the malware. To counter such detection, many malwares families use probabilistic algorithms known as domain generation algorithms (DGAs) to generate domain names for the C&C servers. This makes it difficult to track down the C&C servers of the Botnet even after the malware is identified. In this paper, we propose a probabilistic approach for the identification of domain names which are likely to be generated by a malware using DGA. The proposed solution is based on the hypothesis that human generated domain names are usually inspired by the words from a particular language (say English), whereas DGA generated domain names should contain random sub-strings in it. Results show that the percentage of false negatives in the detection of DGA generated domain names using the proposed method is less than 29% across 30 DGA families considered by us in our experimentation.

Links

GA102/06/0711, research and development project

Name: Kryptografické generátory náhodných a pseudonáhodných čísel

Investor: Czech Science Foundation, Cryptographic random and pseudo-random number generators

Citovat

VISHWAKARMA, Deepak Kumar, Ashutosh BHATIA and Zdeněk ŘÍHA. Detection of Algorithmically Generated Domain Names in Botnets. In Leonard Barolli, Makoto Takizawa, Fatos Xhafa, Tomoya Enokido. Advanced Information Networking and Applications, AINA 2019. Cham, Switzerland: Springer Nature Switzerland, 2020, p. 1279-1290. ISBN 978-3-030-15031-0. Available from: https://dx.doi.org/10.1007/978-3-030-15032-7_107.

@inproceedings{1520636,
   author = {Vishwakarma, Deepak Kumar and Bhatia, Ashutosh and Říha, Zdeněk},
   address = {Cham, Switzerland},
   booktitle = {Advanced Information Networking and Applications, AINA 2019},
   doi = {http://dx.doi.org/10.1007/978-3-030-15032-7_107},
   editor = {Leonard Barolli, Makoto Takizawa, Fatos Xhafa, Tomoya Enokido},
   keywords = {Domain name system; Domain generations algorithms; Botnets; Command and control servers},
   howpublished = {tištěná verze "print"},
   language = {eng},
   location = {Cham, Switzerland},
   isbn = {978-3-030-15031-0},
   pages = {1279-1290},
   publisher = {Springer Nature Switzerland},
   title = {Detection of Algorithmically Generated Domain Names in Botnets},
   year = {2020}
}

TY  - JOUR
ID  - 1520636
AU  - Vishwakarma, Deepak Kumar - Bhatia, Ashutosh - Říha, Zdeněk
PY  - 2020
TI  - Detection of Algorithmically Generated Domain Names in Botnets
PB  - Springer Nature Switzerland
CY  - Cham, Switzerland
SN  - 9783030150310
KW  - Domain name system
KW  - Domain generations algorithms
KW  - Botnets
KW  - Command and control servers
N2  - Botnets pose a major threat to the information security of organizations and individuals. The bots (malware infected hosts) receive commands and updates from the Command and Control (C&C) servers, and hence, contacting and communicating with these servers is an essential requirement of bots. However, once a malware is identified in the infected host, it is easy to find its C&C server and block it, if the domain names of the servers are hard-coded in the malware. To counter such detection, many malwares families use probabilistic algorithms known as domain generation algorithms (DGAs) to generate domain names for the C&C servers. This makes it difficult to track down the C&C servers of the Botnet even after the malware is identified. In this paper, we propose a probabilistic approach for the identification of domain names which are likely to be generated by a malware using DGA. The proposed solution is based on the hypothesis that human generated domain names are usually inspired by the words from a particular language (say English), whereas DGA generated domain names should contain random sub-strings in it. Results show that the percentage of false negatives in the detection of DGA generated domain names using the proposed method is less than 29% across 30 DGA families considered by us in our experimentation.
ER  -

VISHWAKARMA, Deepak Kumar, Ashutosh BHATIA and Zdeněk ŘÍHA. Detection of Algorithmically Generated Domain Names in Botnets. In Leonard Barolli, Makoto Takizawa, Fatos Xhafa, Tomoya Enokido. \textit{Advanced Information Networking and Applications, AINA 2019}. Cham, Switzerland: Springer Nature Switzerland, 2020, p.~1279-1290. ISBN~978-3-030-15031-0. Available from: https://dx.doi.org/10.1007/978-3-030-15032-7\_{}107.

Detailed Information on Publication Record