Abstract
A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate with, and these IP addresses are usually obtained through DNS (Domain Name System) communications by sending domain names to DNS servers instead of using hard-coded IP addresses in order to avoid analysis and detection. In this process, malware usually uses DGA (Domain Generation Algorithm) to hide domain names of C & C servers and to make difficult to block C & C servers or domain names. Although DGA techniques have been studied extensively, most of previous studies have been based on the analysis of the domain names generated by DGA focusing on the characteristics of the strings. However, this kind of analysis methods has difficulties to detect some domain names generated by DGA with creative criteria. In this paper, we have conducted research to detect malicious code generated by DGA based on the value of flags included in the DNS communication process, deviating from the existing research focusing on domain name only.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
