Computer Science and Information Systems 2022 Volume 19, Issue 1, Pages: 205-227
https://doi.org/10.2298/CSIS210104046S
Full text (
1041 KB)
Cited by
Applied machine learning in recognition of DGA domain names
Štampar Miroslav (SekuriPy LLC, Zagreb, Croatia), miroslav.stampar@sekuripy.hr
Fertalj Krešimir (Faculty of Electrical Engineering and Computing, Zagreb, Croatia), kresimir.fertalj@fer.hr
Recognition of domain names generated by domain generation algorithms (DGAs) is the essential part of malware detection by inspection of network traffic. Besides basic heuristics (HE) and limited detection based on blacklists, the most promising course seems to be machine learning (ML). There is a lack of studies that extensively compare different ML models in the field of DGA binary classification, including both conventional and deep learning (DL) representatives. Also, those few that exist are either focused on a small set of models, use a poor set of features in ML models or fail to secure unbiased independence between training and evaluation samples. To overcome these limitations, we engineered a robust feature set, and accordingly trained and evaluated 14 ML, 9 DL, and 2 comparative models on two independent datasets. Results show that if ML features are properly engineered, there is a marginal difference in overall score between top ML and DL representatives. This paper represents the first attempt to neutrally compare the performance of many different models for the recognition of DGA domain names, where the best models perform as well as the top representatives from the literature.
Keywords: domain generation algorithm, binary classification, supervised machine learning, deep learning, blind evaluation
Show references
Y. Zhou, Q. Li, Q. Miao, and K. Yim, “DGA-Based Botnet Detection Using DNS Traffic.,” J. Internet Serv. Inf. Secur., vol. 3, no. 3/4, pp. 116-123, 2013.
S. Schiavoni, F. Maggi, L. Cavallaro, and S. Zanero, “Phoenix: DGA-based botnet tracking and intelligence,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2014, pp. 192-211.
M. Kührer, C. Rossow, and T. Holz, “Paint it black: Evaluating the effectiveness of malware blacklists,” in International Workshop on Recent Advances in Intrusion Detection, 2014, pp. 1-21.
M. Thomas and A. Mohaisen, “Kindred domains: detecting and clustering botnet domains using DNS traffic,” in Proceedings of the 23rd International Conference on World Wide Web, 2014, pp. 707-712.
T. Wang, X. Hu, J. Jang, S. Ji, M. Stoecklin, and T. Taylor, “BotMeter: Charting DGA-botnet landscapes in large networks,” in IEEE 36th International Conference on Distributed Computing Systems (ICDCS), 2016, pp. 334-343.
S. Schüppen, D. Teubert, P. Herrmann, and U. Meyer, “FANCI: Feature-based automated nxdomain classification and intelligence,” in 27th USENIX Security Symposium, 2018, pp. 1165-1181.
M. Antonakakis et al., “From throw-away traffic to bots: detecting the rise of DGA-based malware,” in Proceedings of 21st USENIX Security Symposium, 2012, pp. 491-506.
C. Dietrich, “Decision making: Factors that influence decision making, heuristics used, and decision outcomes,” Inq. J., vol. 2, no. 02, 2010.
“Alexa Top 1 Million Sites,” Alexa Internet, Inc. [Online]. Available: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. [Accessed: 15-Mar-2021]
D. Plohmann, “DGArchive,” Fraunhofer FKIE. [Online]. Available: https://dgarchive.caad.fkie.fraunhofer.de/. [Accessed: 15-Mar-2021]
C. M. Bishop, Pattern recognition and machine learning. springer, 2006.
Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” Nature, vol. 521, no. 7553, pp. 436-444, 2015.
A. Ahluwalia, I. Traore, K. Ganame, and N. Agarwal, “Detecting broad length algorithmically generated domains,” in International Conference on Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments, 2017, pp. 19-34.
T. Wang and L.-C. Chen, “Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods,” in Proceedings of Student-Faculty Research Day, CSIS, Pace University, 2017, pp. D4-1.
B. Yu, D. L. Gray, J. Pan, M. De Cock, and A. C. A. Nascimento, “Inline DGA detection with deep networks,” in IEEE International Conference on Data Mining Workshops, ICDMW, 2017, vol. 2017-Novem, pp. 683-692, doi: 10.1109/ICDMW.2017.96.
D. Tran, H. Mac, V. Tong, H. A. Tran, and L. G. Nguyen, “A LSTM based framework for handling multiclass imbalance in DGA botnet detection,” Neurocomputing, vol. 275, pp. 2401-2413, 2018.
L. Sidi, A. Nadler, and A. Shabtai, “MaskDGA: A black-box evasion technique against DGA classifiers and adversarial defenses,” arXiv Prepr. arXiv1902.08909, 2019.
B. Yu, J. Pan, J. Hu, A. Nascimento, and M. De Cock, “Character level based detection of DGA domain names,” in 2018 International Joint Conference on Neural Networks (IJCNN), 2018, pp. 1-8.
B. Yu et al., “Weakly supervised deep learning for the detection of domain generation algorithms,” IEEE Access, vol. 7, pp. 51542-51556, 2019.
M. Pereira, S. Coleman, B. Yu, M. DeCock, and A. Nascimento, “Dictionary extraction and detection of algorithmically generated domain names in passive DNS traffic,” in International Symposium on Research in Attacks, Intrusions, and Defenses, 2018, pp. 295-314.
F. Pedregosa et al., “Scikit-learn: Machine learning in Python,” J. Mach. Learn. Res., vol. 12, no. Oct, pp. 2825-2830, 2011.
F. Chollet, “Keras - Deep Learning for humans,” 2015. [Online]. Available: https://github.com/keras-team/keras. [Accessed: 15-Mar-2021]
T. Chen and C. Guestrin, “Xgboost: A scalable tree boosting system,” in Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, 2016, pp. 785-794.
G. Lemaitre, F. Nogueira, and C. K. Aridas, “Imbalanced-learn: A python toolbox to tackle the curse of imbalanced datasets in machine learning,” J. Mach. Learn. Res., vol. 18, no. 1, pp. 559-563, 2017.
T. G. Dietterich, “Ensemble methods in machine learning,” in International workshop on multiple classifier systems, 2000, pp. 1-15.
R. Sivaguru, C. Choudhary, B. Yu, V. Tymchenko, A. Nascimento, and M. De Cock, “An evaluation of DGA classifiers,” in 2018 IEEE International Conference on Big Data (Big Data), 2018, pp. 5058-5067.
G. Marsaglia, “Diehard: battery of tests for random number generators,” CD-ROM, Department of Statistics and Supercomputer Computations Research Institute, Florida State University. 1995.
R. Brown and J. Burrows, “FIPS PUB 140-2 Security Requirements For Cryptographic Modules,” 2001. [Online]. Available: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. [Accessed: 15-Mar-2021]
29. J. Woodbridge, H. S. Anderson, A. Ahuja, and D. Grant, “Predicting domain generation algorithms with long short-term memory networks,” arXiv Prepr. arXiv1611.00791, 2016.
J. Saxe and K. Berlin, “eXpose: A character-level convolutional neural network with embeddings for detecting malicious URLs, file paths and registry keys,” arXiv Prepr. arXiv1702.08568, 2017.
W. Ling et al., “Finding function in form: Compositional character models for open vocabulary word representation,” arXiv Prepr. arXiv1508.02096, 2015.
B. Dhingra, Z. Zhou, D. Fitzpatrick, M. Muehl, and W. W. Cohen, “Tweet2vec: Character-based distributed representations for social media,” arXiv Prepr. arXiv1605.03481, 2016.
S. Vosoughi, P. Vijayaraghavan, and D. Roy, “Tweet2vec: Learning tweet embeddings using character-level cnn-lstm encoder-decoder,” in Proceedings of the 39th International ACM SIGIR conference on Research and Development in Information Retrieval, 2016, pp. 1041-1044.
X. Zhang, J. Zhao, and Y. LeCun, “Character-level convolutional networks for text classification,” in Advances in neural information processing systems, 2015, pp. 649-657.
C. Choudhary, R. Sivaguru, M. Pereira, B. Yu, A. C. Nascimento, and M. De Cock, “Algorithmically generated domain detection and malware family classification,” in International Symposium on Security in Computing and Communication, 2018, pp. 640-655.
M. Stampar and M. Kasimov, “Maltrail - Malicious traffic detection system.” 2014 [Online]. Available: https://github.com/stamparm/maltrail. [Accessed: 15-Mar-2021]
P. Pudil, J. Novovičová, and J. Kittler, “Floating search methods in feature selection,” Pattern Recognit. Lett., vol. 15, no. 11, pp. 1119-1125, 1994.
D. Chicco and G. Jurman, “The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation,” BMC Genomics, vol. 21, no. 1, p. 6, 2020.
B. Yu, L. Smith, M. Threefoot, and F. G. Olumofin, “Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies.,” in IoTBD, 2016, pp. 284-290.