Nowadays, malware campaigns have reached a high level of sophistication, thanks to the use of cryptography and covert communication channels over traditional protocols and services. In this regard, a typical approach to evade botnet identification and takedown mechanisms is the use of domain fluxing through the use of Domain Generation Algorithms (DGAs). These algorithms produce an overwhelming amount of domain names that the infected device tries to communicate with to find the Command and Control server, yet only a small fragment of them is actually registered. Due to the high number of domain names, the blacklisting approach is rendered useless. Therefore, the botmaster may pivot the control dynamically and hinder botnet detection mechanisms. To counter this problem, many security mechanisms result in solutions that try to identify domains from a DGA based on the randomness of their name.

In this work, we explore hard to detect families of DGAs, as they are constructed to bypass these mechanisms. More precisely, they are based on the use of dictionaries or adversarial approaches so the generated domains seem to be user-generated. Therefore, the corresponding generated domains pass many filters that look for, e.g. high entropy strings or n-grams. To address this challenge, we propose an accurate and efficient probabilistic approach to detect them. We test and validate the proposed solution through extensive experiments with a sound dataset containing all the wordlist-based DGA families that exhibit this behaviour, as well as several adversarial DGAs, and compare it with other state-of-the-art methods, practically showing the efficacy and prevalence of our proposal.

如今，由于在传统协议和服务上使用了加密技术和隐蔽的通信渠道，恶意软件活动已经达到了很高的水平。在这方面，逃避僵尸网络识别和删除机制的典型方法是通过使用域生成算法（DGA）来使用域通量。这些算法产生了大量的域名，被感染的设备尝试与之通信以查找命令和控制服务器，但实际上只有一小部分被注册。由于域名数量众多，黑名单方法变得无用。因此，僵尸网络管理员可能会动态控制控件并阻碍僵尸网络检测机制。为了解决这个问题，

在这项工作中，我们试图探查DGA家族，因为它们是为绕过这些机制而构建的。更确切地说，它们基于字典或对抗方法的使用，因此生成的域似乎是用户生成的。因此，相应的生成域通过许多寻找的过滤器，例如高熵字符串或n-gram。为了应对这一挑战，我们提出了一种准确有效的概率方法来检测它们。我们通过一个声音数据集通过广泛的实验来测试和验证所提出的解决方案，该声音数据集包含表现出这种行为的所有基于单词列表的DGA系列以及几种对抗性DGA，并将其与其他最新方法进行比较，实际上表明我们建议的有效性和普遍性。