Part of the book series:Lecture Notes in Computer Science ((LNAI,volume 11775))
Included in the following conference series:
3046Accesses
Abstract
Modern malware typically uses domain generation algorithm (DGA) to avoid blacklists. However, it still leaks trace by causing excessive Non-existent domain responses when trying to contact with the command and control (C&C) servers. In this paper, we propose a novel system named D3N to detect DGA domains by analyzing NXDomains with deep learning methods. The experiments show that D3N yields 99.7% TPR and 1.9% FPR, outperforming FANCI in both accuracy and efficiency. Besides, our real-world evaluation in a large-scale network demonstrates that D3N is robust in different networks.
This is a preview of subscription content,log in via an institution to check access.
Access this chapter
Subscribe and save
- Get 10 units per month
- Download Article/Chapter or eBook
- 1 Unit = 1 Article or 1 Chapter
- Cancel anytime
Buy Now
- Chapter
- JPY 3498
- Price includes VAT (Japan)
- eBook
- JPY 11439
- Price includes VAT (Japan)
- Softcover Book
- JPY 14299
- Price includes VAT (Japan)
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alexa.com: Alexa Top 500 Global Sites (2019).https://www.alexa.com/topsites
Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pp. 13–21. ACM (2016)
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)
Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Presented as Part of the 21st\(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 12), pp. 491–506 (2012)
Khalil, I., Yu, T., Guan, B.: Discovering malicious domains through passive DNS data graph analysis. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 663–674. ACM (2016)
Lee, J., Lee, H.: GMAD: graph-based malware activity detection by DNS traffic analysis. Comput. Commun.49, 33–47 (2014)
Lin Jin, H.S.: CDN list [Data set] (2019).https://doi.org/10.5281/zenodo.842988
Lison, P., Mavroeidis, V.: Automatic detection of malware-generated domains with recurrent neural models. arXiv preprintarXiv:1709.07102 (2017)
Netgate.com: Services DNS Configuring Dynamic DNS pfSense Documentation (2019).https://www.netgate.com/docs/pfsense/dns/dynamic-dns.html
Passivedns.cn: Sign In-passiveDNS (2019).http://netlab.360.com/
Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th\(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 16), pp. 263–278 (2016)
Publicsuffix.org: Public suffix list.https://publicsuffix.org/. Accessed 7 Jun 2019
Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.:\(\{\)FANCI\(\}\): feature-based automated NXdomain classification and intelligence. In: 27th\(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1165–1181 (2018)
Woodbridge, J., Anderson, H.S., Ahuja, A., Grant, D.: Predicting domain generation algorithms with long short-term memory networks. arXiv preprintarXiv:1611.00791 (2016)
Acknowledgment
We thank Chenxi Li, Shize Zhang, Xinmu Wang and Shuai Wang for constructive comments on experiments, valuable advice on data processing and parameters tuning. Additionally, we thank DGArchive and Information Technology Center of Tsinghua University for authorizing the use of their data in our experiments. This work is supported by the National Key Research and Development Program of China under Grant No.2017YFB0803004.
Author information
Authors and Affiliations
Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing, China
Mingkai Tong, Xiaoqing Sun, Jiahai Yang, Hui Zhang & Shuang Zhu
National Computer Network Emergency Response Center, Beijing, China
Xinran Liu
China Electronics Cyberspace Great Wall Co., Ltd, Beijing, China
Heng Liu
- Mingkai Tong
You can also search for this author inPubMed Google Scholar
- Xiaoqing Sun
You can also search for this author inPubMed Google Scholar
- Jiahai Yang
You can also search for this author inPubMed Google Scholar
- Hui Zhang
You can also search for this author inPubMed Google Scholar
- Shuang Zhu
You can also search for this author inPubMed Google Scholar
- Xinran Liu
You can also search for this author inPubMed Google Scholar
- Heng Liu
You can also search for this author inPubMed Google Scholar
Corresponding author
Correspondence toXiaoqing Sun.
Editor information
Editors and Affiliations
University of Piraeus, Piraeus, Greece
Christos Douligeris
University of Vienna, Vienna, Austria
Dimitris Karagiannis
University of Piraeus, Piraeus, Greece
Dimitris Apostolou
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Tong, M.et al. (2019). D3N: DGA Detection with Deep-Learning Through NXDomain. In: Douligeris, C., Karagiannis, D., Apostolou, D. (eds) Knowledge Science, Engineering and Management. KSEM 2019. Lecture Notes in Computer Science(), vol 11775. Springer, Cham. https://doi.org/10.1007/978-3-030-29551-6_41
Download citation
Published:
Publisher Name:Springer, Cham
Print ISBN:978-3-030-29550-9
Online ISBN:978-3-030-29551-6
eBook Packages:Computer ScienceComputer Science (R0)
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative