当前位置:
X-MOL 学术
›
IEEE Open J. Commun. Soc.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware
IEEE Open Journal of the Communications Society ( IF 6.3 ) Pub Date : 2020-11-17 , DOI: 10.1109/ojcoms.2020.3038704 Akihiro Satoh , Yutaka Fukuda , Toyohiro Hayashi , Gen Kitagata
IEEE Open Journal of the Communications Society ( IF 6.3 ) Pub Date : 2020-11-17 , DOI: 10.1109/ojcoms.2020.3038704 Akihiro Satoh , Yutaka Fukuda , Toyohiro Hayashi , Gen Kitagata
Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this article, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers.
中文翻译:
一种浅析DGA恶意软件生成的恶意域名的方法
计算机网络面临的一些最严重的安全威胁涉及恶意软件。为了防止与恶意软件相关的损害,管理员必须迅速识别并删除可能驻留在其网络中的受感染计算机。但是,许多恶意软件家族都有域生成算法(DGA)以避免检测。DGA是一种技术,其中经常更改域名以隐藏从受感染机器到命令和控制服务器的回调通信。在本文中,我们提出了一种通过表面分析字符串来估计域名随机性的方法。此方法基于以下观察结果:人为生成的良性域名倾向于反映其域注册者的意图,例如组织,产品或内容。相反,动态生成的恶意域名由无意义的字符串组成,因为必须避免与已经注册的域名发生冲突;因此,动态生成的域名和人工生成的域名的字符串存在明显区别。值得注意的是,我们的方法不需要任何有关DGA的先验知识。我们的评估表明,与带标签的数据集一起使用时,所提出的方法能够分别实现高达0.9960和0.9029的召回率和精度。此外,已证明这种方法对于通过校园网络收集的数据集非常有效。因此,这些结果表明,可以使用针对已检测到的恶意域的DNS查询作为触发器,快速识别感染了恶意软件的计算机并将其从网络中删除。
更新日期:2020-12-12
中文翻译:
一种浅析DGA恶意软件生成的恶意域名的方法
计算机网络面临的一些最严重的安全威胁涉及恶意软件。为了防止与恶意软件相关的损害,管理员必须迅速识别并删除可能驻留在其网络中的受感染计算机。但是,许多恶意软件家族都有域生成算法(DGA)以避免检测。DGA是一种技术,其中经常更改域名以隐藏从受感染机器到命令和控制服务器的回调通信。在本文中,我们提出了一种通过表面分析字符串来估计域名随机性的方法。此方法基于以下观察结果:人为生成的良性域名倾向于反映其域注册者的意图,例如组织,产品或内容。相反,动态生成的恶意域名由无意义的字符串组成,因为必须避免与已经注册的域名发生冲突;因此,动态生成的域名和人工生成的域名的字符串存在明显区别。值得注意的是,我们的方法不需要任何有关DGA的先验知识。我们的评估表明,与带标签的数据集一起使用时,所提出的方法能够分别实现高达0.9960和0.9029的召回率和精度。此外,已证明这种方法对于通过校园网络收集的数据集非常有效。因此,这些结果表明,可以使用针对已检测到的恶意域的DNS查询作为触发器,快速识别感染了恶意软件的计算机并将其从网络中删除。
京公网安备 11010802027423号