Automatic Detection of Malware-Generated Domains with Recurrent Neural Models

TL;DR

This paper presents a recurrent neural network-based machine learning method that effectively detects malware-generated domains, outperforming traditional blacklisting approaches by achieving high precision and recall.

Contribution

It introduces a novel RNN-based approach trained on diverse malware domains, demonstrating high accuracy in identifying DGAs with minimal false positives.

Findings

F1 score of 0.971 in detection accuracy

93% detection rate at 1:100 false positive rate

Effective against various malware domain algorithms

Abstract

Modern malware families often rely on domain-generation algorithms (DGAs) to determine rendezvous points to their command-and-control server. Traditional defence strategies (such as blacklisting domains or IP addresses) are inadequate against such techniques due to the large and continuously changing list of domains produced by these algorithms. This paper demonstrates that a machine learning approach based on recurrent neural networks is able to detect domain names generated by DGAs with high precision. The neural models are estimated on a large training set of domains generated by various malwares. Experimental results show that this data-driven approach can detect malware-generated domain names with a F_1 score of 0.971. To put it differently, the model can automatically detect 93 % of malware-generated domain names for a false positive rate of 1:100.