AIRCC's International Journal of Computer Science and Information Technology

Open Access Open Access  Restricted Access Subscription Access

Detection of Algorithmicallygenerated Malicious Domain Using Frequency Analysis


Affiliations
1 Cyber Operations Team, Airbus, Corsham, United Kingdom
2 School of Computing, Edinburgh Napier University, Edinburgh, United Kingdom
3 Cyber Operations Team, Airbus Group Innovations, Newport, Wales, United Kingdom
 

Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.

Keywords

Domain Generated Algorithm, DGA, Malicious domain Names, Domain Name Frequency Analysis & Malicious DNS.
User
Notifications
Font Size

  • M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou II, and D. Dagon, (2011, August) “Detecting Malware Domains at the Upper DNS Hierarchy”. In USENIX security symposium Vol. 11, pp. 1-16, 2011

  • M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou II, S. Abu-Nimeh, W. Lee, and D. Dagon, “From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware”. In USENIX security symposium Vol. 12, 2012.

  • M. Antonakakis, R. Perdisci, N. Vasiloglou, and W. Lee, Detecting and Tracking the Rise of DGABased Malware. The magazine of USENIX & SAGE, 37(6), 15-24, 2012

  • H. Armstrong, (2015, July 05). Machine that learn in the wild. Available: https://www.nesta.org.uk/sites/default/files/machines_that_learn_in_the_wild.pdf

  • P. Arntz, (2016, June 27). Explained: Domain Generating Algorithm. Available: https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generatingalgorithm/

  • T. Barabosch, A. Wichmann, F. Leder, and E. Gerhards-Padilla, (n.d.). Automatic Extraction of Domain Names Generation Algorithms from Current Malware. Available: https://net.cs.unibonn.de/fileadmin/user_upload/wichmann/Extraction_DNGA_Malware.pdf

  • A. Berger, A. D’Alconzo, W.N. Gansterer, and A. Pescapé, “Mining agile DNS traffic using graph analysis for cybercrime detection”. Computer Networks, 100, 28-44, 2016

  • L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, (2011, February). EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Ndss.

  • R. Brandom, (2017, May 17) Registering a single web address may have stopped a global malware attack -Finding the kill switch. Available: https://www.theverge.com/2017/5/13/15635050/wannacryransomwarekill-switchprotect-nhs-attack.

  • CERT Polska (2015, May 26). DGA botnet domains: on false alarms in detection. Available: https://www.cert.pl/en/news/single/dga-botnet-domains-false-alarms-in-detection/

  • A. Chailytko, and A. Trafimchuk, (2015, July 17). DGA clustering and analysis: mastering modern, evolving threats. Available: https://www.botconf.eu/wp-content/uploads/2015/12/OK-S01-AlexChailytko-Alex-Trafimcuk-DGA-clustering-and-analysis-mastering-modern-evolvingthreats.pdf.

  • M. Chapple, M. (2017, July 28.). Evaluating and tuning an Intrusion Detection System. Available: http://searchsecurity.techtarget.com/tip/Evaluating-and-tuning-an-intrusion-detectionsystem.

  • R. Chen, W. Niu, X. Zhang, Z. Zhuo, and F. Lv, “An Effective Conversation-Based Botnet Detection Method”. Mathematical Problems in Engineering, 2017.

  • Damballa (2012, July 17). DGAs in the Hands of Cyber-Criminals: Examining the state of the art in malware evasion techniques. Available: https://www.damballa.com/wpcontent/ uploads/2014/02/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf Accessed.

  • R. Doyle, (2010, June 17). Frequency analysis of second-level domain names and detection of pseudorandom domain generation. Available:http://ryandoyle.net/assets/papers/Frequency_analysis_second_level_domains_June_2010_ RDoyle.pdf

  • N. Goodman, A Survey of Advances in Botnet Technologies. arXiv preprint arXiv:1702.01132, 2017 [17] A. Kololkoltsev, (2015, July 28). Machine learning technique to detect generated domain names. Available: https://www.youtube.com/watch?v=9wB_ovM5C0M.

  • J. Kwon, J. Lee, H. Lee,and A Perrig, “PsyBoG: A scalable botnet detection method for large-scale DNS traffic”. Computer Networks, 97, 48-73, 2016

  • J. Lee, and H. Lee, “GMAD: Graph-based Malware Activity Detection by DNS traffic analysis”.

  • Computer Communications, 49, 33-47, 2014.

  • D. Mahjoub, (2013, September). “Monitoring a fast flux botnet using recursive and passive DNS: A case study”. In eCrime Researchers Summit (eCRS), 2013 (pp. 1-9). IEEE.

  • L. Martin, (2014). “Cyber Kill Chain®”. Available: http://cyber. lockheedmartin.com/hubfs/Gaining_the_Advantage_Cyber_Kill _Chain. pdf.

  • M. Namazifar, (2015, July 17). Detecting Random strings: A language based approach. Available: https://www.youtube.com/watch?v=70q5ojxNuv4.

  • Norton (2016, July 17). Bots and Botnets. Available: https://us.norton.com/botnet/ [24] P. Norvig, (2012). English Letter Frequency Counts:Mayzner Revisited or ETAOIN SRHLDCU. Available: http://norvig.com/mayzner.html Accessed 02 July 2017.

  • S.P. Oriyano, CEH v9: Certified Ethical Hacker Version 9 Study Guide. John Wiley & Sons 2016.

  • V. Oujezsky, T. Horvath, and V. Skorpil, “Botnet C&C Traffic and Flow Lifespans Using Survival Analysis”. International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems, 6(1), 38-44, 2017.

  • D. Plohmann, (2015). DGAArchive – A deep dive into domain generating malware. Available:https://www.botconf.eu/wp-content/uploads/2015/12/OK-P06-Plohmann-DGArchive.pdf

  • D. Plohmann, K. Yakdan, M. Klatt, J. Bader, and E. Gerhards-Padilla, (2016). “A Comprehensive Measurement Study of Domain Generating Malware”. In 25th USENIX Security Symposium (USENIX Security 16) pp. 263-278, 2016 USENIX Association.

  • P. Porras, H. Saidi, and V. Yegneswaran, V. “An analysis of Conficker’s logic and rendezvous points”. Technical report, SRI International.2009

  • M. Poor, SANS 503: Intrusion Detection in-depth. The SANS institute, 2015

  • D. Rodriguez-Clark, (2017). Frequency Analysis: breaking the code. Available:http://crypto.interactive-maths.com/frequency-analysis-breaking-the-code.html

  • W. Ruan, Y. Liu, and R. Zhao, “Pattern discovery in DNS query traffic”. Procedia Computer Science, 17, 80-87, 2013.

  • R. Sharifnya, and M. Abadi, DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic. Digital Investigation, 12, 15-26, 2015.

  • U. Sternfeld, (2016). Dissecting domain generation algorithm: eight real world DGA Variants.

  • Available: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-DissectingDGAs-Eight-Real-World-DGA-Variants.pdf

  • M. Stevanovic, J.M. Pedersen, A. D'Alconzo, S. Ruehrup, and A. Berger, “On the ground truth problem of malicious DNS traffic analysis”. Computers & Security, 55, 142-158, 2015.

  • B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, and G. Vigna,(2009, November). Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 635-647). ACM.

  • A. Almomani “Fast-flux hunter: a system for filtering online fast-flux botnet”. Neural Computing and Application 29(7), 483-493, 2018

  • C. Swenson, Modern cryptanalysis: techniques for advanced code breaking. John Wiley & Sons, 2008

  • The Unicode Consortium. Internationalized Domain Names (IDN) FAQ. Available: http://unicode.org/faq/idn.html. Accessed 07 June 2017.

  • US-CERT (2015). Indicators Associated with WannaCry Ransomware. Avaiable: https://www.uscert.

  • gov/ncas/alerts/TA17-132A Accessed 30 May 2017.

  • P. Vixie, “What DNS is not”. Commun. ACM, 52(12), 43-47, 2009.

  • L. Vu Hong, (2012). DNS Traffic Analysis for Network-based Malware Detection.

  • T.S. Wang, H.T. Lin, W.T. Cheng, and Chen, C. Y. “DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis”. Computers & Security, 64, 1-15, 2017.

  • S. Yadav, A.K.K Reddy, A.L. Reddy, and S. Ranjan, (2010, November). Detecting Algorithmicallygenerated malicious domain names. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement (pp. 48-61). ACM.

  • M. Young, M. (2014). Domain name abuse is a 4 letter word. Available: http://www.circleid.com/posts/20141112_domain_name_abuse_is_a_4_letter_word/

  • J. Yuventi, and S. Weiss, (2013). Probabilistic Consideration Method for Weight/Score-Based Decisions in Systems Engineering-Related Applications.

  • G. Zhao, K. Xu, L. Xu, and B. Wu, (2015). “Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis”. IEEE Access, 3, 1132-1142, 2015.


Abstract Views: 393

PDF Views: 135




  • Detection of Algorithmicallygenerated Malicious Domain Using Frequency Analysis

Abstract Views: 393  |  PDF Views: 135

Authors

Enoch Agyepong
Cyber Operations Team, Airbus, Corsham, United Kingdom
William J. Buchanan
School of Computing, Edinburgh Napier University, Edinburgh, United Kingdom
Kevin Jones
Cyber Operations Team, Airbus Group Innovations, Newport, Wales, United Kingdom

Abstract


Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.

Keywords


Domain Generated Algorithm, DGA, Malicious domain Names, Domain Name Frequency Analysis & Malicious DNS.

References