Abstract
In recent years, cyberattacks using command and control (C&C) servers have significantly increased. To hide their C&C servers, attackers often use a domain generation algorithm (DGA), which automatically generates domain names for the C&C servers. Accordingly, extensive research on DGA domain detection has been conducted. However, existing methods cannot accurately detect continuously generated DGA domains and can easily be evaded by an attacker. Recently, long short-term memory- (LSTM-) based deep learning models have been introduced to detect DGA domains in real time using only domain names without feature extraction or additional information. In this paper, we propose an efficient DGA domain detection method based on bidirectional LSTM (BiLSTM), which learns bidirectional information as opposed to unidirectional information learned by LSTM. We further maximize the detection performance with a convolutional neural network (CNN) + BiLSTM ensemble model using Attention mechanism, which allows the model to learn both local and global information in a domain sequence. Experimental results show that existing CNN and LSTM models achieved F1-scores of 0.9384 and 0.9597, respectively, while the proposed BiLSTM and ensemble models achieved higher F1-scores of 0.9618 and 0.9666, respectively. In addition, the ensemble model achieved the best performance for most DGA domain classes, enabling more accurate DGA domain detection than existing models.
Highlights
Despite advances in security technology, it is still difficult to efficiently respond to cyberattacks using command and control (C&C) servers
We present the detailed design and implementation of a new domain generation algorithm (DGA) domain detection method using the proposed bidirectional long short-term memory (LSTM) (BiLSTM) model. en, we propose a further improved DGA domain detection method based on an ensemble model that combines a convolutional neural network (CNN) and BiLSTM with Attention
Performance among all models with an F1-score of 0.9666. is excellent result indicates that the ensemble model fully exploits the advantages of both the CNN and BiLSTM models
Summary
Despite advances in security technology, it is still difficult to efficiently respond to cyberattacks using command and control (C&C) servers. A C&C server generally controls botnets, a set of infected PCs, issuing malicious commands, or controlling malicious code from remote attackers. E simplest way to achieve this is to fix a hard-coded IP address or domain name of the C&C server for the malware. Because the malware on an infected PC is installed at a remote location, it attempts to connect to the C&C server to receive commands. This is not effective from an attacker’s perspective because it is detected and blocked by security experts. A DGA continuously generates multiple domain names using a certain seed [1]. e malware assumes that the domain generated by the DGA is the domain of the C&C server and attempts to connect to the C&C server
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
