DGASensor

Abstract

DNS protocol has been used by many malwares for command-and-control (C&C). To improve the resiliency of C&C communication, Domain Generation Algorithm (DGA) has been utilized by recent malwares such as Locky, Conficker and Zeus. Many detection systems have been introduced for DGA-based botnets detection. However, such botnets detection approaches suffer from several limitations, for instance, requiring a group of DGA domains, period behaviors, the presence of multiple bots, and so forth. It is very hard for them to detect an individually running DGA-based malware which leave only a few traces. In this paper, we develop DGASensor to detect DGA-based malwares immediately by identifying a single DGA domain using lexical evidence. First, DGASensor automatically analyzes the lexical patterns of the most popular domains listed in Alexa top 100,000, and then extracts two templates, namely distribution template and structure template. Second, the above two templates, pronounceable attributes, and some frequently used properties like entropy and length, are used to extract features from a single domain. Third, we train our classifier using a non-DGA dataset consisting of domains obtained from Alexa rank and a DGA dataset generated by known DGAs. At last, we provide a short word filter to decrease the false positive rate. We implement a prototype system and evaluate it using the above training dataset with 10-fold cross validation. Moreover, a set of real world DNS traffic collected from a recursive DNS server is used to measure real world performance of our system. The results show that DGASensor detects DGA domains with accuracy 93% in our training dataset and is able to identify a variety of malwares in the real world dataset with an extremely high processing capability.