A Novel Model Based on Ensemble Learning for Detecting DGA Botnets

Recently, DGA has been becoming a popular technique used by many malwares in general and botnets in particular. DGA allows hacking groups to automatically generate and register domain names for C&C servers of their botnets in order to avoid being blacklisted and disabled if using static domain n...

Full description

Saved in:
Bibliographic Details
Main Authors: Vu, Xuan Hanh, Hoang, Xuan Dau, Chu, Thi Hong Hai
Format: Conference Proceeding
Language:English
Subjects:
Botnet
Character-based DGA botnet
DGA botnet detection
DGA botnet detection based on ensemble learning
Ensemble learning
Knowledge engineering
Malware
Proposals
Registers
Training
Word-based DGA botnet
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recently, DGA has been becoming a popular technique used by many malwares in general and botnets in particular. DGA allows hacking groups to automatically generate and register domain names for C&C servers of their botnets in order to avoid being blacklisted and disabled if using static domain names and IP addresses. Many types of sophisticated DGA techniques have been developed and used in practice, including character-based DGA, word-based DGA and mixed DGA. These techniques allow to generate from simple domain names of random combinations of characters, to complex domain names of combinations of meaningful words, which are very similar to legitimate domain names. This makes it difficult for solutions to monitor and detect botnets in general and DGA botnets in particular. Some solutions are able to efficiently detect character-based DGA domain names, but cannot detect word-based DGA and mixed DGA domain names. In contrast, some recent proposals can effectively detect word-based DGA domain names, but cannot effectively detect domain names of some character-based DGA botnets. This paper proposes a model based on ensemble learning that enables efficient detection of most DGA domain names, including character-based DGA and word-based DGA. The proposed model combines two component models, including the character-based DGA botnet detection model and the word-based DGA botnet detection model. The experimental results show that the proposed combined model is able to effectively detect 37/39 DGA botnet families with the average detection rate of over 89%.
ISSN:2694-4804
DOI:10.1109/KSE56063.2022.9953792