Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks

Amara Kumar, Harish Thodupunoori, VINAYAKUMAR R, SOMAN KP, PRABAHARAN Poornachandran, Mamoun Alazab, Sitalakshmi Venkatraman

Research output: Chapter in Book/Report/Conference proceedingChapterResearchpeer-review

Abstract

In recent years, modern botnets employ the technique of domain generation algorithm (DGA) to evade detection solutions that use either reverse engineering methods, or blacklisting of malicious domain names. DGA facilitates generation of large number of pseudo random domain names to connect to the command and control server. This makes DGAs very convincing for botnet operators (botmasters) to make their botnets more effective and resilient to blacklisting and efforts of shutting-down attacks. Detecting the malicious domains generated by the DGAs in real time is the most challenging task and significant research has been carried out by applying different machine learning algorithms. This research considers contemporary state-of-the-art DGA malicious detection approaches and proposes a deep learning architecture for detecting the DGA generated domain names.

This chapter presents extensive experiments conducted with various Deep Neural Networks (DNN), mainly, convolutional neural network (CNN), Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Bidirectional Long Short-Term Memory (BiLSTM), Bidirectional Recurrent Neural Network (BiRNN) and CNN-LSTM layers deep learning architectures for the binary class and multi-class detection. An extensive study of the performance and efficiency of the proposed DGA Malicious Detector is conducted through rigorous experimentation and testing of two different datasets. The first dataset consists of public sources and the second dataset is from private sources. We perform a comprehensive measurement study of the DGA by analyzing more than three Million domain names. Our experiments show our DGA Malicious Detector is capable of effectively identifying domains generated by DGA families with high accuracy of 99.7% and 97.1% for the two datasets respectively. A comparative study of the deep learning approaches shows good benchmarking of our DGA Malicious Detector.
Original languageEnglish
Title of host publicationDeep Learning Applications for Cyber Security
EditorsMamoun Alazab, MingJian Tang
PublisherSpringer
Pages151-173
Number of pages23
ISBN (Electronic)978-3-030-13057-2
ISBN (Print)978-3-030-13056-5
DOIs
Publication statusPublished - 2019

Publication series

NameAdvanced Sciences and Technologies for Security Applications
PublisherSpringer
ISSN (Print)1613-5113

Fingerprint

Recurrent neural networks
Detectors
Neural networks
Deep neural networks
Reverse engineering
Benchmarking
Learning algorithms
Learning systems
Servers
Experiments
Testing
Botnet
Long short-term memory
Deep learning

Cite this

Kumar, A., Thodupunoori, H., R, VINAYAKUMAR., KP, SOMAN., Poornachandran, PRABAHARAN., Alazab, M., & Venkatraman, S. (2019). Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks. In M. Alazab, & M. Tang (Eds.), Deep Learning Applications for Cyber Security (pp. 151-173). (Advanced Sciences and Technologies for Security Applications). Springer. https://doi.org/10.1007/978-3-030-13057-2_7
Kumar, Amara ; Thodupunoori, Harish ; R, VINAYAKUMAR ; KP, SOMAN ; Poornachandran, PRABAHARAN ; Alazab, Mamoun ; Venkatraman, Sitalakshmi. / Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks. Deep Learning Applications for Cyber Security. editor / Mamoun Alazab ; MingJian Tang. Springer, 2019. pp. 151-173 (Advanced Sciences and Technologies for Security Applications).
@inbook{fa662b8106234d648f5699011a028cb4,
title = "Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks",
abstract = "In recent years, modern botnets employ the technique of domain generation algorithm (DGA) to evade detection solutions that use either reverse engineering methods, or blacklisting of malicious domain names. DGA facilitates generation of large number of pseudo random domain names to connect to the command and control server. This makes DGAs very convincing for botnet operators (botmasters) to make their botnets more effective and resilient to blacklisting and efforts of shutting-down attacks. Detecting the malicious domains generated by the DGAs in real time is the most challenging task and significant research has been carried out by applying different machine learning algorithms. This research considers contemporary state-of-the-art DGA malicious detection approaches and proposes a deep learning architecture for detecting the DGA generated domain names.This chapter presents extensive experiments conducted with various Deep Neural Networks (DNN), mainly, convolutional neural network (CNN), Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Bidirectional Long Short-Term Memory (BiLSTM), Bidirectional Recurrent Neural Network (BiRNN) and CNN-LSTM layers deep learning architectures for the binary class and multi-class detection. An extensive study of the performance and efficiency of the proposed DGA Malicious Detector is conducted through rigorous experimentation and testing of two different datasets. The first dataset consists of public sources and the second dataset is from private sources. We perform a comprehensive measurement study of the DGA by analyzing more than three Million domain names. Our experiments show our DGA Malicious Detector is capable of effectively identifying domains generated by DGA families with high accuracy of 99.7{\%} and 97.1{\%} for the two datasets respectively. A comparative study of the deep learning approaches shows good benchmarking of our DGA Malicious Detector.",
keywords = "Domain generation algorithm (DGA), Cybersecurity, Malware, Botnet, DNS, Deep learning",
author = "Amara Kumar and Harish Thodupunoori and VINAYAKUMAR R and SOMAN KP and PRABAHARAN Poornachandran and Mamoun Alazab and Sitalakshmi Venkatraman",
year = "2019",
doi = "10.1007/978-3-030-13057-2_7",
language = "English",
isbn = "978-3-030-13056-5",
series = "Advanced Sciences and Technologies for Security Applications",
publisher = "Springer",
pages = "151--173",
editor = "Mamoun Alazab and MingJian Tang",
booktitle = "Deep Learning Applications for Cyber Security",
address = "Switzerland",

}

Kumar, A, Thodupunoori, H, R, VINAYAKUMAR, KP, SOMAN, Poornachandran, PRABAHARAN, Alazab, M & Venkatraman, S 2019, Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks. in M Alazab & M Tang (eds), Deep Learning Applications for Cyber Security. Advanced Sciences and Technologies for Security Applications, Springer, pp. 151-173. https://doi.org/10.1007/978-3-030-13057-2_7

Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks. / Kumar, Amara; Thodupunoori, Harish; R, VINAYAKUMAR; KP, SOMAN; Poornachandran, PRABAHARAN; Alazab, Mamoun; Venkatraman, Sitalakshmi.

Deep Learning Applications for Cyber Security. ed. / Mamoun Alazab; MingJian Tang. Springer, 2019. p. 151-173 (Advanced Sciences and Technologies for Security Applications).

Research output: Chapter in Book/Report/Conference proceedingChapterResearchpeer-review

TY - CHAP

T1 - Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks

AU - Kumar, Amara

AU - Thodupunoori, Harish

AU - R, VINAYAKUMAR

AU - KP, SOMAN

AU - Poornachandran, PRABAHARAN

AU - Alazab, Mamoun

AU - Venkatraman, Sitalakshmi

PY - 2019

Y1 - 2019

N2 - In recent years, modern botnets employ the technique of domain generation algorithm (DGA) to evade detection solutions that use either reverse engineering methods, or blacklisting of malicious domain names. DGA facilitates generation of large number of pseudo random domain names to connect to the command and control server. This makes DGAs very convincing for botnet operators (botmasters) to make their botnets more effective and resilient to blacklisting and efforts of shutting-down attacks. Detecting the malicious domains generated by the DGAs in real time is the most challenging task and significant research has been carried out by applying different machine learning algorithms. This research considers contemporary state-of-the-art DGA malicious detection approaches and proposes a deep learning architecture for detecting the DGA generated domain names.This chapter presents extensive experiments conducted with various Deep Neural Networks (DNN), mainly, convolutional neural network (CNN), Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Bidirectional Long Short-Term Memory (BiLSTM), Bidirectional Recurrent Neural Network (BiRNN) and CNN-LSTM layers deep learning architectures for the binary class and multi-class detection. An extensive study of the performance and efficiency of the proposed DGA Malicious Detector is conducted through rigorous experimentation and testing of two different datasets. The first dataset consists of public sources and the second dataset is from private sources. We perform a comprehensive measurement study of the DGA by analyzing more than three Million domain names. Our experiments show our DGA Malicious Detector is capable of effectively identifying domains generated by DGA families with high accuracy of 99.7% and 97.1% for the two datasets respectively. A comparative study of the deep learning approaches shows good benchmarking of our DGA Malicious Detector.

AB - In recent years, modern botnets employ the technique of domain generation algorithm (DGA) to evade detection solutions that use either reverse engineering methods, or blacklisting of malicious domain names. DGA facilitates generation of large number of pseudo random domain names to connect to the command and control server. This makes DGAs very convincing for botnet operators (botmasters) to make their botnets more effective and resilient to blacklisting and efforts of shutting-down attacks. Detecting the malicious domains generated by the DGAs in real time is the most challenging task and significant research has been carried out by applying different machine learning algorithms. This research considers contemporary state-of-the-art DGA malicious detection approaches and proposes a deep learning architecture for detecting the DGA generated domain names.This chapter presents extensive experiments conducted with various Deep Neural Networks (DNN), mainly, convolutional neural network (CNN), Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Bidirectional Long Short-Term Memory (BiLSTM), Bidirectional Recurrent Neural Network (BiRNN) and CNN-LSTM layers deep learning architectures for the binary class and multi-class detection. An extensive study of the performance and efficiency of the proposed DGA Malicious Detector is conducted through rigorous experimentation and testing of two different datasets. The first dataset consists of public sources and the second dataset is from private sources. We perform a comprehensive measurement study of the DGA by analyzing more than three Million domain names. Our experiments show our DGA Malicious Detector is capable of effectively identifying domains generated by DGA families with high accuracy of 99.7% and 97.1% for the two datasets respectively. A comparative study of the deep learning approaches shows good benchmarking of our DGA Malicious Detector.

KW - Domain generation algorithm (DGA)

KW - Cybersecurity

KW - Malware

KW - Botnet

KW - DNS

KW - Deep learning

U2 - 10.1007/978-3-030-13057-2_7

DO - 10.1007/978-3-030-13057-2_7

M3 - Chapter

SN - 978-3-030-13056-5

T3 - Advanced Sciences and Technologies for Security Applications

SP - 151

EP - 173

BT - Deep Learning Applications for Cyber Security

A2 - Alazab, Mamoun

A2 - Tang, MingJian

PB - Springer

ER -

Kumar A, Thodupunoori H, R VINAYAKUMAR, KP SOMAN, Poornachandran PRABAHARAN, Alazab M et al. Enhanced Domain Generating Algorithm Detection Based on Deep Neural Networks. In Alazab M, Tang M, editors, Deep Learning Applications for Cyber Security. Springer. 2019. p. 151-173. (Advanced Sciences and Technologies for Security Applications). https://doi.org/10.1007/978-3-030-13057-2_7