PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets

Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge D...

Full description

Saved in:
Bibliographic Details
Published in:arXiv.org 2022-12
Main Authors: Nie, Lihai, Shan, Xiaoyang, Zhao, Laiping, Li, Keqiu
Format: Article
Language:English
Subjects:
Algorithms
Detectors
Domains
Malware
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Nie, Lihai
Shan, Xiaoyang
Zhao, Laiping
Li, Keqiu
description Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge DGAs present low anti-detection ability against detectors, and full-knowledge DGAs suffer from low practicality due to the strong assumption that they are fully detector-aware. Given these observations, we propose PKDGA, a partial knowledge-based domain generation algorithm with high anti-detection ability and high practicality. PKDGA employs the reinforcement learning architecture, which makes it evolve automatically based only on the easily-observable feedback from detectors. We evaluate PKDGA using a comprehensive set of real-world datasets, and the results demonstrate that it reduces the detection performance of existing detectors from 91.7% to 52.5%. We further apply PKDGA to the Mirai malware, and the evaluations show that the proposed method is quite lightweight and time-efficient.
format article
fullrecord <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2748627126</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2748627126</sourcerecordid><originalsourceid>FETCH-proquest_journals_27486271263</originalsourceid><addsrcrecordid>eNqNyr0OgjAUQOHGxESivMNNnEmg_MYNRSFhcXAnNVywpPRqW-Lr6-ADOJ3hOyvm8TiOgiLhfMN8a6cwDHmW8zSNPdZc26ouD1DCVRgnhYJW01thP2JwFxZ7qGgWUkONGo1wkjSUaiQj3WOGgQwcyWl0dsfWg1AW_V-3bH85305N8DT0WtC6bqLF6C91PE-KjOcRz-L_rg9-WjrT</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2748627126</pqid></control><display><type>article</type><title>PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets</title><source>Publicly Available Content Database</source><creator>Nie, Lihai ; Shan, Xiaoyang ; Zhao, Laiping ; Li, Keqiu</creator><creatorcontrib>Nie, Lihai ; Shan, Xiaoyang ; Zhao, Laiping ; Li, Keqiu</creatorcontrib><description>Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge DGAs present low anti-detection ability against detectors, and full-knowledge DGAs suffer from low practicality due to the strong assumption that they are fully detector-aware. Given these observations, we propose PKDGA, a partial knowledge-based domain generation algorithm with high anti-detection ability and high practicality. PKDGA employs the reinforcement learning architecture, which makes it evolve automatically based only on the easily-observable feedback from detectors. We evaluate PKDGA using a comprehensive set of real-world datasets, and the results demonstrate that it reduces the detection performance of existing detectors from 91.7% to 52.5%. We further apply PKDGA to the Mirai malware, and the evaluations show that the proposed method is quite lightweight and time-efficient.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Algorithms ; Detectors ; Domains ; Malware</subject><ispartof>arXiv.org, 2022-12</ispartof><rights>2022. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.proquest.com/docview/2748627126?pq-origsite=primo$$EHTML$$P50$$Gproquest$$Hfree_for_read</linktohtml><link.rule.ids>780,784,25753,37012,44590</link.rule.ids></links><search><creatorcontrib>Nie, Lihai</creatorcontrib><creatorcontrib>Shan, Xiaoyang</creatorcontrib><creatorcontrib>Zhao, Laiping</creatorcontrib><creatorcontrib>Li, Keqiu</creatorcontrib><title>PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets</title><title>arXiv.org</title><description>Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge DGAs present low anti-detection ability against detectors, and full-knowledge DGAs suffer from low practicality due to the strong assumption that they are fully detector-aware. Given these observations, we propose PKDGA, a partial knowledge-based domain generation algorithm with high anti-detection ability and high practicality. PKDGA employs the reinforcement learning architecture, which makes it evolve automatically based only on the easily-observable feedback from detectors. We evaluate PKDGA using a comprehensive set of real-world datasets, and the results demonstrate that it reduces the detection performance of existing detectors from 91.7% to 52.5%. We further apply PKDGA to the Mirai malware, and the evaluations show that the proposed method is quite lightweight and time-efficient.</description><subject>Algorithms</subject><subject>Detectors</subject><subject>Domains</subject><subject>Malware</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>PIMPY</sourceid><recordid>eNqNyr0OgjAUQOHGxESivMNNnEmg_MYNRSFhcXAnNVywpPRqW-Lr6-ADOJ3hOyvm8TiOgiLhfMN8a6cwDHmW8zSNPdZc26ouD1DCVRgnhYJW01thP2JwFxZ7qGgWUkONGo1wkjSUaiQj3WOGgQwcyWl0dsfWg1AW_V-3bH85305N8DT0WtC6bqLF6C91PE-KjOcRz-L_rg9-WjrT</recordid><startdate>20221208</startdate><enddate>20221208</enddate><creator>Nie, Lihai</creator><creator>Shan, Xiaoyang</creator><creator>Zhao, Laiping</creator><creator>Li, Keqiu</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20221208</creationdate><title>PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets</title><author>Nie, Lihai ; Shan, Xiaoyang ; Zhao, Laiping ; Li, Keqiu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_27486271263</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Algorithms</topic><topic>Detectors</topic><topic>Domains</topic><topic>Malware</topic><toplevel>online_resources</toplevel><creatorcontrib>Nie, Lihai</creatorcontrib><creatorcontrib>Shan, Xiaoyang</creatorcontrib><creatorcontrib>Zhao, Laiping</creatorcontrib><creatorcontrib>Li, Keqiu</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central</collection><collection>ProQuest Central Essentials</collection><collection>AUTh Library subscriptions: ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Nie, Lihai</au><au>Shan, Xiaoyang</au><au>Zhao, Laiping</au><au>Li, Keqiu</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets</atitle><jtitle>arXiv.org</jtitle><date>2022-12-08</date><risdate>2022</risdate><eissn>2331-8422</eissn><abstract>Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge DGAs present low anti-detection ability against detectors, and full-knowledge DGAs suffer from low practicality due to the strong assumption that they are fully detector-aware. Given these observations, we propose PKDGA, a partial knowledge-based domain generation algorithm with high anti-detection ability and high practicality. PKDGA employs the reinforcement learning architecture, which makes it evolve automatically based only on the easily-observable feedback from detectors. We evaluate PKDGA using a comprehensive set of real-world datasets, and the results demonstrate that it reduces the detection performance of existing detectors from 91.7% to 52.5%. We further apply PKDGA to the Mirai malware, and the evaluations show that the proposed method is quite lightweight and time-efficient.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2022-12
issn 2331-8422
language eng
recordid cdi_proquest_journals_2748627126
source Publicly Available Content Database
subjects Algorithms
Detectors
Domains
Malware
title PKDGA: A Partial Knowledge-based Domain Generation Algorithm for Botnets
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-20T16%3A55%3A00IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=PKDGA:%20A%20Partial%20Knowledge-based%20Domain%20Generation%20Algorithm%20for%20Botnets&rft.jtitle=arXiv.org&rft.au=Nie,%20Lihai&rft.date=2022-12-08&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2748627126%3C/proquest%3E%3Cgrp_id%3Ecdi_FETCH-proquest_journals_27486271263%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2748627126&rft_id=info:pmid/&rfr_iscdi=true