Abstract
One of the leading problems in cyber security at present is the unceasing emergence of sophisticated attacks, such as botnets and ransomware, that rely heavily on Command and Control (C&C) channels to conduct their malicious activities remotely. To avoid channel detection, attackers constantly try to create different covert communication techniques. One such technique is Domain Generation Algorithm (DGA), which allows malware to generate numerous domain names until it finds its corresponding C&C server. It is highly resilient to detection systems and reverse engineering, while allowing the C&C server to have several redundant domain names. This paper presents a malicious domain name detection system, MaldomDetector, which is based on machine learning. It is capable of detecting DGA-based communications and circumventing the attack before it makes any successful connection with the C&C server, using only domain name's characters. MaldomDetector uses a set of easy-to-compute and language-independent features in addition to a deterministic algorithm to detect malicious domains. The experimental results demonstrate that MaldomDetector can operate efficiently as a first alarm to detect DGA-based domains of malware families while maintaining high detection accuracy.
Highlights
Cybercriminals often depend on command and control (C&C) to launch their cyber-attacks
This paper presents a malicious domain name detection system, MaldomDetector, which is based on machine learning
It is capable of detecting Domain Generation Algorithm (DGA)-based communications and circumventing the attack before it makes any successful connection with the Command and Control (C&C) server, using only domain name's characters
Summary
Cybercriminals often depend on command and control (C&C) to launch their cyber-attacks. The cybercriminals can run many malicious activities, such as data exfiltration, spamming and downloading harmful files by directing the compromised machines via C&C channels [1] To protect these channels from being detected and blocked by security controls, attackers have started to build reliable C&C infrastructures to conduct their cyber-attacks remotely. The DGA approach is a recent development in malware communications and has several advantages It makes the process of retrieving C&C information, i.e., pseudo-random domains, from the malware code using reverse engineering methods very difficult [6]. This issue is only increased considering the large number of new malware families and their variants detected every day [7]. DGA provides a large amount of redundancy in the C&C server, where if one server is taken down, a new one can be available within a short time [2]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
