Loading…

PKDGA: A Partial Knowledge-Based Domain Generation Algorithm for Botnets

Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge D...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on information forensics and security 2023, Vol.18, p.4854-4869
Main Authors: Nie, Lihai, Shan, Xiaoyang, Zhao, Laiping, Li, Keqiu
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Domain generation algorithms (DGAs) can be categorized into three types: zero-knowledge, partial-knowledge, and full-knowledge. While prior research merely focused on zero-knowledge and full-knowledge types, we characterize their anti-detection ability and practicality and find that zero-knowledge DGAs present low anti-detection ability against detectors, and full-knowledge DGAs suffer from low practicality due to the strong assumption that they are fully detector-aware. Given these observations, we propose PKDGA, a partial knowledge-based domain generation algorithm with high anti-detection ability and high practicality. PKDGA employs the reinforcement learning architecture, which makes it evolve automatically based only on the easily-observable feedback from detectors. We evaluate PKDGA using a comprehensive set of real-world datasets, and the results demonstrate that it reduces the detection performance of existing detectors from 91.7% to 52.5%. We further apply PKDGA to the Mirai malware, and the evaluations show that the proposed method is quite lightweight and time-efficient.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2023.3298229