Abstract

Malicious codes, such as advanced persistent threat (APT) attacks, do not operate immediately after infecting the system, but after receiving commands from the attacker’s command and control (C&C) server. The system infected by the malicious code tries to communicate with the C&C server through the IP address or domain address of the C&C server. If the IP address or domain address is hard-coded inside the malicious code, it can analyze the malicious code to obtain the address and block access to the C&C server through security policy. In order to circumvent this address blocking technique, domain generation algorithms are included in the malware to dynamically generate domain addresses. The domain generation algorithm (DGA) generates domains randomly, so it is very difficult to identify and block malicious domains. Therefore, this paper effectively detects and classifies unknown DGA domains. We extract features that are effective for TextCNN-based label prediction, and add additional domain knowledge-based features to improve our model for detecting and classifying DGA-generated malicious domains. The proposed model achieved 99.19% accuracy for DGA classification and 88.77% accuracy for DGA class classification. We expect that the proposed model can be applied to effectively detect and block DGA-generated domains.

Highlights

  • The advanced persistent threat (APT) attacks are characterized by the fact that they do not stop the attack by producing dense and systematic security threats based on various IT technologies and attack methods until the successful intrusion inside

  • domain generation algorithm (DGA) generates a random string by inputting a predetermined seed value and combines secondit uses time series data, such as time or exchange rates, that the attacker can know at the same time as a level domain (SLD) and top-level domain (TLD) to generate a domain address

  • This study proposed an long short-term memorymemory (LSTM) multi-input (LSTM.MI) model that combines two models used for binary classification and multi-class classification

Read more

Summary

Background

Most cyberattacks use malicious codes, and according to AV-TEST, more than 1 billion malicious codes are expected to emerge in 2020 [1]. Unlike the recent distribution of malicious codes to a large number of unspecified people, advanced persistent threat (APT) attacks are attempted after targeting one target. By an internal user to create an internally infected PC. Step 2 collects infrastructure information, such such as organization’s the organization’s internal network. The fourth stage consists of steps such as account information theft and malware infections. The fourth stage consists of steps such as internal internal information destruction under the the command of theofattacker. Malicious such as APT attacks, operate after receiving commands from a remote command and control (C&C). Codes, such as APT attacks, operate after receiving commands from a remote command and control server being on the device.

A DNS-generated
Binary and Multi-Class Classification Are Possible with One Model
Feature Refining Technology that Reflects Features Well According to Purpose
Similarity Comparison Technique for DGA Classification
Example
Clustering Technique for DGA Classification
Overview
TextCNN based Feature
Knowledge Based Feature Engineering
Classification
20. Theofrest ofand the an output class number of
Dataset
Analysis Environments
DGA Classification Results
Results
Section 4.3.
Conclusions

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.