Improving DGA-Based Malicious Domain Classifiers for Malware Defense with Adversarial Machine Learning

TL;DR

This paper enhances DGA-based malicious domain classifiers using LSTM with novel features, introduces adversarial techniques to generate unseen malicious domains, and proposes secure data containers to protect blacklists.

Contribution

It presents a new LSTM-based classifier with innovative feature engineering, an adversarial method to generate unseen malicious domains, and secure containers for blacklists.

Findings

LSTM classifier outperforms previous models in accuracy.

Adversarial generation of new malicious domains reveals classifier weaknesses.

Secure data containers protect blacklists from tampering.

Abstract

Domain Generation Algorithms (DGAs) are used by adversaries to establish Command and Control (C\&C) server communications during cyber attacks. Blacklists of known/identified C\&C domains are often used as one of the defense mechanisms. However, since blacklists are static and generated by signature-based approaches, they can neither keep up nor detect never-seen-before malicious domain names. Due to this shortcoming of blacklist domain checking, machine learning algorithms have been used to address the problem to some extent. However, when training is performed with limited datasets, the algorithms are likely to fail in detecting new DGA variants. To mitigate this weakness, we successfully applied a DGA-based malicious domain classifier using the Long Short-Term Memory (LSTM) method with a novel feature engineering technique. Our model's performance shows a higher level of accuracy compared to a previously reported model from prior research. Additionally, we propose a new method using adversarial machine learning to generate never-before-seen malware-related domain families that can be used to illustrate the shortcomings of machine learning algorithms in this regard. Next, we augment the training dataset with new samples such that it makes training of the machine learning models more effective in detecting never-before-seen malicious domain name variants. Finally, to protect blacklists of malicious domain names from disclosure and tampering, we devise secure data containers that store blacklists and guarantee their protection against adversarial access and modifications.