Exploiting Statistical and Structural Features for the Detection of Domain Generation Algorithms

TL;DR

This paper presents a probabilistic method to detect dictionary-based DGAs that mimic legitimate domains, addressing evasion tactics used by sophisticated malware campaigns.

Contribution

It introduces an accurate, efficient probabilistic approach specifically targeting dictionary-based DGAs that evade entropy-based detection methods.

Findings

Effective detection of dictionary-based DGAs demonstrated

Outperforms existing state-of-the-art methods

Validated on comprehensive dataset

Abstract

Nowadays, malware campaigns have reached a high level of sophistication, thanks to the use of cryptography and covert communication channels over traditional protocols and services. In this regard, a typical approach to evade botnet identification and takedown mechanisms is the use of domain fluxing through the use of Domain Generation Algorithms (DGAs). These algorithms produce an overwhelming amount of domain names that the infected device tries to communicate with to find the Command and Control server, yet only a small fragment of them is actually registered. Due to the high number of domain names, the blacklisting approach is rendered useless. Therefore, the botmaster may pivot the control dynamically and hinder botnet detection mechanisms. To counter this problem, many security mechanisms result in solutions that try to identify domains from a DGA based on the randomness of their name. In this work, we explore hard to detect families of DGAs, as they are constructed to bypass these mechanisms. More precisely, they are based on the use of dictionaries so the domains seem to be user-generated. Therefore, the corresponding generated domains pass many filters that look for, e.g. high entropy strings. To address this challenge, we propose an accurate and efficient probabilistic approach to detect them. We test and validate the proposed solution through extensive experiments with a sound dataset containing all the wordlist-based DGA families that exhibit this behaviour and compare it with other state-of-the-art methods, practically showing the efficacy and prevalence of our proposal.