AIRCC's International Journal of Computer Science and Information Technology

Open Access Open Access  Restricted Access Subscription Access

Detection of Algorithmicallygenerated Malicious Domain Using Frequency Analysis


Affiliations
1 Cyber Operations Team, Airbus, Corsham, United Kingdom
2 School of Computing, Edinburgh Napier University, Edinburgh, United Kingdom
3 Cyber Operations Team, Airbus Group Innovations, Newport, Wales, United Kingdom
 

Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.

Keywords

Domain Generated Algorithm, DGA, Malicious domain Names, Domain Name Frequency Analysis & Malicious DNS.
User
Notifications
Font Size


  • Detection of Algorithmicallygenerated Malicious Domain Using Frequency Analysis

Abstract Views: 494  |  PDF Views: 180

Authors

Enoch Agyepong
Cyber Operations Team, Airbus, Corsham, United Kingdom
William J. Buchanan
School of Computing, Edinburgh Napier University, Edinburgh, United Kingdom
Kevin Jones
Cyber Operations Team, Airbus Group Innovations, Newport, Wales, United Kingdom

Abstract


Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.

Keywords


Domain Generated Algorithm, DGA, Malicious domain Names, Domain Name Frequency Analysis & Malicious DNS.

References