Abstract
To evade detection, botnets apply DNS domain fluxing for Command and Control (C&C) servers. In this way, each bot generates a large number of domain names with Domain Generation Algorithms (DGAs) and the botmaster registers only one of them as the domain name of the C&C server. In this paper, we propose Helios, a DGA detection approach based on a neural language model, which exploits the word-formation of domain names to identify domain names generated by DGAs. The key insight of Helios lies in that domain names are composed of syllables or acronyms for easy readability and n-grams can represent both of them. In Helios, we first collect common n-grams in real domain names into a dictionary, then tokenize a domain name into n-grams based on the dictionary, and finally classify the domain name as real or DGA-generated according to the tokenized result. We evaluate Helios with regard to its ability to detect domain names generated by known DGAs and discover new DGA families. Our experimental results show that Helios is able to accurately identify domain names generated by DGAs with a precision of 96.7% and a recall of 95.2%. We also compare Helios with the state-of-the-art detection approach and find that our approach performs more effectively.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
