Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

TL;DR

This paper presents HYDRAS, a comprehensive dataset of over 100 DGA families, and proposes a real-time detection method that outperforms existing approaches in identifying algorithmically generated malicious domains.

Contribution

The paper introduces HYDRAS, the largest dataset of DGA families, and develops a real-time detection approach that generalizes well across many families, surpassing current state-of-the-art methods.

Findings

HYDRAS dataset includes over 100 DGA families.

Proposed detection method outperforms existing techniques.

Method achieves high accuracy and efficiency in real-time detection.

Abstract

A crucial technical challenge for cybercriminals is to keep control over the potentially millions of infected devices that build up their botnets, without compromising the robustness of their attacks. A single, fixed C&C server, for example, can be trivially detected either by binary or traffic analysis and immediately sink-holed or taken-down by security researchers or law enforcement. Botnets often use Domain Generation Algorithms (DGAs), primarily to evade take-down attempts. DGAs can enlarge the lifespan of a malware campaign, thus potentially enhancing its profitability. They can also contribute to hindering attack accountability. In this work, we introduce HYDRAS, the most comprehensive and representative dataset of Algorithmically-Generated Domains (AGD) available to date. The dataset contains more than 100 DGA families, including both real-world and adversarially designed ones. We analyse the dataset and discuss the possibility of differentiating between benign requests (to real domains) and malicious ones (to AGDs) in real-time. The simultaneous study of so many families and variants introduces several challenges; nonetheless, it alleviates biases found in previous literature employing small datasets which are frequently overfitted, exploiting characteristic features of particular families that do not generalise well.We thoroughly compare our approach with the current state-of-the-art and highlight some methodological shortcomings in the actual state of practice. The outcomes obtained show that our proposed approach significantly outperforms the current state-of-the-art in terms of both classification performance and efficiency.