The More, the Better: A Study on Collaborative Machine Learning for DGA Detection

Proceedings of the 3rd Workshop on Cyber-Security Arms Race Pub Date : 2021-09-24 DOI:10.1145/3474374.3486915

Arthur Drichel, Benedikt Holmes, Justus von Brandt, U. Meyer

{"title":"The More, the Better: A Study on Collaborative Machine Learning for DGA Detection","authors":"Arthur Drichel, Benedikt Holmes, Justus von Brandt, U. Meyer","doi":"10.1145/3474374.3486915","DOIUrl":null,"url":null,"abstract":"Domain generation algorithms (DGAs) prevent the connection between a botnet and its master from being blocked by generating a large number of domain names. Promising single-data-source approaches have been proposed for separating benign from DGA-generated domains. Collaborative machine learning (ML) can be used in order to enhance a classifier's detection rate, reduce its false positive rate (FPR), and to improve the classifier's generalization capability to different networks. In this paper, we complement the research area of DGA detection by conducting a comprehensive collaborative learning study, including a total of 13,440 evaluation runs. In two real-world scenarios we evaluate a total of eleven different variations of collaborative learning using three different state-of-the-art classifiers. We show that collaborative ML can lead to a reduction in FPR by up to 51.7%. However, while collaborative ML is beneficial for DGA detection, not all approaches and classifier types profit equally. We round up our comprehensive study with a thorough discussion of the privacy threats implicated by the different collaborative ML approaches.","PeriodicalId":319965,"journal":{"name":"Proceedings of the 3rd Workshop on Cyber-Security Arms Race","volume":"126 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 3rd Workshop on Cyber-Security Arms Race","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3474374.3486915","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Domain generation algorithms (DGAs) prevent the connection between a botnet and its master from being blocked by generating a large number of domain names. Promising single-data-source approaches have been proposed for separating benign from DGA-generated domains. Collaborative machine learning (ML) can be used in order to enhance a classifier's detection rate, reduce its false positive rate (FPR), and to improve the classifier's generalization capability to different networks. In this paper, we complement the research area of DGA detection by conducting a comprehensive collaborative learning study, including a total of 13,440 evaluation runs. In two real-world scenarios we evaluate a total of eleven different variations of collaborative learning using three different state-of-the-art classifiers. We show that collaborative ML can lead to a reduction in FPR by up to 51.7%. However, while collaborative ML is beneficial for DGA detection, not all approaches and classifier types profit equally. We round up our comprehensive study with a thorough discussion of the privacy threats implicated by the different collaborative ML approaches.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

越多越好:用于DGA检测的协同机器学习研究

域名生成算法(Domain generation algorithms, DGAs)通过生成大量域名，防止僵尸网络与主网络之间的连接被阻断。已经提出了有前途的单数据源方法来分离良性和dga生成的域。协作机器学习(ML)可以用来提高分类器的检测率，降低其误报率(FPR)，并提高分类器对不同网络的泛化能力。在本文中，我们通过进行全面的协作学习研究来补充DGA检测的研究领域，包括总共13440次评估运行。在两个现实世界的场景中，我们使用三种不同的最先进的分类器评估了总共11种不同的协作学习变体。我们表明，协作式机器学习可以将FPR降低高达51.7%。然而，虽然协作ML对DGA检测是有益的，但并不是所有的方法和分类器类型都同样受益。我们通过对不同协作ML方法所涉及的隐私威胁的深入讨论来总结我们的全面研究。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the 3rd Workshop on Cyber-Security Arms Race

自引率

0.00%

发文量