From Real Malicious Domains to Possible False Positives in DGA Domain Detection

Haleh Shahzad, A. Sattar, Janahan Skandaraniyam
{"title":"From Real Malicious Domains to Possible False Positives in DGA Domain Detection","authors":"Haleh Shahzad, A. Sattar, Janahan Skandaraniyam","doi":"10.1109/ICCRD51685.2021.9386658","DOIUrl":null,"url":null,"abstract":"Various families of malware use domain generation algorithms (DGAs) to generate a large number of pseudo-random domain names to connect to malicious command and control servers (C&Cs). These domain names are used to evade domain based security detection and mitigation controls such as firewall controls. Existing prevalent techniques to detect DGA domains such as reverse engineering malware samples and statistical analysis techniques are time consuming, can be easily circumvented by attackers, and need contextual information which is not easily or feasibly obtained. Due to this, the use of machine learning and deep learning techniques to detect DGA domains has picked up significant interest in the cyber security and analytics communities. The ultimate goal is to detect DGA domains on a per domain basis using the domain name only, with no additional information. As with all techniques, there is the possibility of false positives: valid domains being detected as DGA domains. This paper explores the possible use cases that can result in false positives for DGA domain detection using machine learning and deep learning techniques, and how such use cases, if not uniquely addressed within an automated system or model or technique, can also be used as attack vectors by attackers using DGA domains.","PeriodicalId":294200,"journal":{"name":"2021 IEEE 13th International Conference on Computer Research and Development (ICCRD)","volume":"82 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-01-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE 13th International Conference on Computer Research and Development (ICCRD)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCRD51685.2021.9386658","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Various families of malware use domain generation algorithms (DGAs) to generate a large number of pseudo-random domain names to connect to malicious command and control servers (C&Cs). These domain names are used to evade domain based security detection and mitigation controls such as firewall controls. Existing prevalent techniques to detect DGA domains such as reverse engineering malware samples and statistical analysis techniques are time consuming, can be easily circumvented by attackers, and need contextual information which is not easily or feasibly obtained. Due to this, the use of machine learning and deep learning techniques to detect DGA domains has picked up significant interest in the cyber security and analytics communities. The ultimate goal is to detect DGA domains on a per domain basis using the domain name only, with no additional information. As with all techniques, there is the possibility of false positives: valid domains being detected as DGA domains. This paper explores the possible use cases that can result in false positives for DGA domain detection using machine learning and deep learning techniques, and how such use cases, if not uniquely addressed within an automated system or model or technique, can also be used as attack vectors by attackers using DGA domains.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
从真实恶意域到DGA域检测中的可能误报
各种恶意软件使用域生成算法(dga)生成大量伪随机域名,连接到恶意命令与控制服务器(c&c)。这些域名用于逃避基于域的安全检测和缓解控制,如防火墙控制。现有流行的检测DGA域的技术,如逆向工程恶意软件样本和统计分析技术,耗时长,容易被攻击者绕过,并且需要上下文信息,这些信息不容易或不可行。因此,使用机器学习和深度学习技术来检测DGA域已经引起了网络安全和分析社区的极大兴趣。最终目标是仅使用域名在每个域的基础上检测DGA域,而不使用其他信息。与所有技术一样,存在误报的可能性:有效域被检测为DGA域。本文探讨了使用机器学习和深度学习技术可能导致DGA域检测误报的用例,以及这些用例如果在自动化系统或模型或技术中没有唯一解决,如何也可以被使用DGA域的攻击者用作攻击向量。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
ICCRD 2021 Preface Point Cloud Depth Map and Optical Image Registration Based on Improved RIFT Algorithm ICCRD 2021 Copyright Page ICCRD 2021 Cover Page Robust Nighttime Road Lane Line Detection using Bilateral Filter and SAGC under Challenging Conditions
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1