计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (8): 371-378.doi: 10.11896/jsjkx.230700189

• 信息安全 • 上一篇    下一篇

域名生成算法检测技术综述

汪绪先1,2, 黄缙华1,2, 翟优3, 李础南4, 王宇3, 张宇鹏4, 张翼鹏5, 杨立群4, 李舟军3   

  1. 1 中国南方电网公司重点实验室电网自动化实验室 广州 510080
    2 广东电网有限责任公司电力科学研究院 广州 510080
    3 北京航空航天大学计算机学院 北京 100191
    4 北京航空航天大学网络空间安全学院 北京 100191
    5 北方工业大学信息学院 北京 100144
  • 收稿日期:2023-07-25 修回日期:2024-05-18 出版日期:2024-08-15 发布日期:2024-08-13
  • 通讯作者: 杨立群(lqyang@buaa.edu.cn)
  • 作者简介:(13538889048@163.com)
  • 基金资助:
    国家自然科学基金(U2333205,62302025,62276017);国家电网有限公司总部科技项目(5108-202303439A-3-2-ZN);南方电网公司科技项目(GDDKY2021KF03);2022绿盟科技“鲲鹏”科研基金(CCF-NSFOCUS202210)

Survey of Detection Techniques for Domain Generation Algorithm

WANG Xuxian1,2, HUANG Jinhua1,2, ZHAI You3, LI Chu’nan4, WANG Yu3, ZHANG Yupeng4, ZHANG Yipeng5, YANG Liqun4, LI Zhoujun3   

  1. 1 Key Laboratory of Power Grid Automation Laboratory,China Southern Power Grid,Guangzhou 510080,China
    2 Electric Power Research Institute,Guangdong Power Grid Co.,Ltd.,Guangzhou 510080,China
    3 School of Computer Science and Engineering,Beihang University,Beijing 100191,China
    4 School of Cyber Science and Technology,Beihang University,Beijing 100191,China
    5 School of Information Science and Technology,North China University of Technology,Beijing 100144,China
  • Received:2023-07-25 Revised:2024-05-18 Online:2024-08-15 Published:2024-08-13
  • About author:WANG Xuxian,born in 1994,master.His main research interests include electric power system automation,its network security technology and so on.
    YANG Liqun,born in 1990,Ph.D,assistant professor.His main research intere-sts include network security and industrial control system security and so on.
  • Supported by:
    National Natural Science Foundation of China(U2333205,62302025,62276017),A fund project of State Grid Co., Ltd.Technology R & D Project(5108-202303439A-3-2-ZN),Key Laboratory of Power Grid Automation of China Southern Power Grid Co.,Ltd.(GDDKY2021KF03) and 2022 CCF-NSFOCUS Kun-Peng Scientific Research Fund(CCF-NSFOCUS202210).

PDF (PC)

398

摘要: C&C服务器是网络攻击者用于控制僵尸主机的中间服务器,在僵尸网络中处于核心位置。为增强C&C服务器的隐蔽性,网络攻击者使用域名生成算法来隐藏C&C服务器地址。近年来,域名生成算法检测技术作为检测僵尸网络的重要手段,已经成为一个研究热点。首先,介绍了当前网络安全的发展态势和僵尸网络的拓扑结构。其次,介绍了域名生成算法和相关数据集。接着,介绍了域名生成算法检测技术的分类,并对这些检测技术进行总结综述。最后,探讨了现阶段域名生成算法检测技术存在的问题,并对未来研究方向进行了展望。

关键词: 僵尸网络, C&C服务器, 域名生成算法, 域名生成算法检测, 网络安全威胁

Abstract: The C&C server is an intermediate server used by cyber attackers to control bots,and plays a key role in botnet.In order to enhance the concealment of the C&C server,cyber attackers use domain generation algorithms to hide the IP address of C&C server.In recent years,domain generation algorithm detection technology,as an important means of detecting botnets,has become a research hotspot.This paper first introduces the current development trend of cyber security and the topological structure of botnets.Secondly,the domain generation algorithm and the related dataset are introduced.Then,the classification of domain generation algorithm detection techniques is introduced,and these detection techniques are summarized.Finally,the pro-blems existing in the domain generation algorithm detection technology at the present stage are discussed,and the future research directions are prospected.

Key words: Botnet, Command and Control server, Domain generation algorithm, Domain generation algorithm detection, Cybersecurity threat

中图分类号: 

  • TP309
[1]ANTONAKAKIS M,APRIL T,BAILEY M,et al.Understan-ding the mirai botnet [C]//Proceedings of the 26th USENIX security symposium(USENIX Security 17).2017:1093-1110.
[2]SIGLER K.Crypto-jacking:how cyber-criminals are exploitingthe crypto-currency boom [J].Computer Fraud & Security,2018,2018(9):12-14.
[3]TEAM S R.Emotet exposed:looking inside highly destructive malware [J].Network Security,2019,2019(6):6-11.
[4]KESSEM L.The Necurs Botnet:A pandora’s box of malicious spam [EB/OL].https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/.
[5]HOLZ T,GORECKI C,RIECK K,et al.Measuring and detecting fast-flux service networks [C]//Proceedings of the Network and Distributed System Security Symposium(NDSS).2008.
[6]SOOD A K,ZEADALLY S.A taxonomy of domain-generation algorithms [J].IEEE Security & Privacy,2016,14(4):46-53.
[7]SAEED A M H,WANG D,ALNEDHARI H A M,et al.A Survey of Machine Learning and Deep Learning Based DGA Detection Techniques [C]//Proceedings of the Smart Computing and Communication-6th International Conference(SmartCom).2021:133-143.
[8]WANG Y,WANG Z,PAN R.Survey of DGA Domain NameDetection Based on Character Feature [J].Computer Science,2023,50(8):251-259.
[9]PLOHMANN D,YAKDAN K,KLATT M,et al.A comprehensive measurement study of domain generating malware [C]//Proceedings of the 25th USENIX Security Symposium(USENIX Security 16).2016:263-278.
[10]RAHIM A.cryptolocker-dga [EB/OL].https://github.com/azrilrahim/cryptolocker-dga.
[11]CHIU A,VILLEGAS A.Threat Spotlight:Dyre/Dyreza:AnAnalysis to Discover the DGA [EB/OL].https://blogs.cisco.com/security/talos/threat-spotlight-dyre.
[12]GEFFNER J.End-to-end analysis of a domain generating algorithm malware family [C]//Proceedings of the Black Hat USA.2013.
[13]BAUMGARTNER K,RAIU C.Sinkholing Volatile Cedar DGA Infrastructure [EB/OL].https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/.
[14]ZAGO M,PÉREZ M G,PÉREZ G M.UMUDGA:A dataset for profiling DGA-based botnet [J].Computers & Security,2020,92:101719.
[15]POCHAT V L,GOETHEM T V,TAJALIZADEHKHOOB S,et al.Tranco:A Research-Oriented Top Sites Ranking Hardened Against Manipulation [C]//Proceedings of the Annual Network and Distributed System Security Symposium San Diego.2019.
[16]XIE Q,TANG S,ZHENG X,et al.Building an Open,Robust,and Stable Voting-Based Domain Top List [C]//Proceedings of the USENIX Security Symposium.Boston,2022:625-642.
[17]WOODBRIDGE J,ANDERSON H S,AHUJA A,et al.Predicting domain generation algorithms with long short-term memory networks [J].arXiv:161100791,2016.
[18]TRAN D,MAC H,TONG V,et al.A LSTM based framework for handling multiclass imbalance in DGA botnet detection [J].Neurocomputing,2018,275:2401-2413.
[19]ZHOU S,LIN L,YUAN J,et al.Cnn-based dga detection with high coverage [C]//Proceedings of the 2019 IEEE International Conference on Intelligence and Security Informatics(ISI).2019:62-67.
[20]VRANKEN H,ALIZADEH H.Detection of DGA-GeneratedDomain Names with TF-IDF [J].Electronics,2022,11(3):414.
[21]SCHÜPPEN S,TEUBERT D,HERRMANN P,et al.{FAN-CI}:Feature-based Automated {NXDomain} Classification and Intelligence [C]//Proceedings of the 27th USENIX Security Symposium(USENIX Security 18).2018:1165-1181.
[22]SHAHZAD H,SATTAR A R,SKANDARANIYAM J.DGADomain Detection using Deep Learning [C]//Proceedings of the 5th IEEE International Conference on Cryptography,Security and Privacy.Zhuhai,2021:139-143.
[23]DAVUTH N,KIM S R.Classification of malicious domainnames using support vector machine and bi-gram method [J].International Journal of Security and Its Applications,2013,7(1):51-58.
[24]SIVAGURU R,CHOUDHARY C,YU B,et al.An Evaluation of DGA Classifiers [C]//Proceedings of the IEEE International Conference on Big Data Seattle.2018:5058-5067.
[25]BILGE L,KIRDA E,KRUEGEL C,et al.Exposure:Findingmalicious domains using passive DNS analysis [C]//Procee-dings of the Ndss.2011:1-17.
[26]ANTONAKAKIS M,PERDISCI R,NADJI Y,et al.From{Throw-Away} Traffic to Bots:Detecting the Rise of {DGA-Based} Malware [C]//Proceedings of the 21st USENIX Security Symposium(USENIX Security 12).2012:491-506.
[27]LIU Z,YUN X,ZHANG Y,et al.CCGA:Clustering and Capturing Group Activities for DGA-Based Botnets Detection [C]//Proceedings of the 2019 18th IEEE International Conference on Trust,Security and Privacy in Computing And Communications/13th IEEE International Conference on Big Data Science and Engineering.Rotorua,2019:136-143.
[28]POCHAT V L,HAMME T V,MAROOFI S,et al.A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints [C]//Proceedings of the Annual Network and Distributed System Security Symposium(NDSS).San Diego,2020.
[29]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-basedlearning applied to document recognition [J].Proceedings of the IEEE,1998,86(11):2278-2324.
[30]ELMAN J L.Finding structure in time [J].Cognitive Science,1990,14(2):179-211.
[31]LU Y,MAO Z,QIU Z.Review of Development and Applications of Blockchain Technology in the Field of Energy Internet of Things [J].Guangdong Electric Power,2021,34(7):1-21.
[32]WU J,LIANG L,JI X,et al.Infrared Image Fault Detection Method for Insulator Based on YOLOv3 Algorithm [J].Guangdong Electric Power,2019,33(9):77-84.
[33]XU C,SHEN J,DU X.Detection method of domain names ge-nerated by DGAs based on semantic representation and deep neural network [J].Computers & Security,2019,85:77-88.
[34]SHAHZAD H,SATTAR A R,SKANDARANIYAM J.DGADomain Detection using Deep Learning [C]//Proceedings of the 5th IEEE International Conference on Cryptography,Security and Privacy(CSP).2021:139-143.
[35]BO L,CHONG X,SHAOJIE C,et al.Fast-Flux Malicious Domain Name Detection Method Based on Multimodal Feature Fusion [J].Netinfo Security,2022,22(4):20-29.
[36]SIVAGURU R,PECK J,OLUMOFIN F G,et al.Inline Detection of DGA Domains Using Side Information [J].IEEE Access,2020,8:141910-141922.
[37]CHEN Y,ZHANG S,LIU J,et al.Towards a deep learning approach for detecting malicious domains [C]//Proceedings of the 2018 IEEE International Conference on Smart Cloud(SmartCloud).2018:190-195.
[38]VINAYAKUMAR R,SOMAN K,POORNACHANDRAN P,et al.DBD:Deep learning DGA-based botnet detection [J/OL].https://link.springer.com/chapter/10.1007/978-3-030-13057-2_6.
[39]HIGHNAM K,PUZIO D,LUO S,et al.Real-Time Detection of Dictionary DGA Network Traffic Using Deep Learning [J].SN Computer Science,2021,2(2):110.
[40]REN F,JIANG Z,WANG X,et al.A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network [J].Cybersecur,2020,3(1):4.
[41]TUAN T A,LONG H V,TANIAR D.On Detecting and Classifying DGA Botnets and their Families [J].Computers & Security,2022,113:102549.
[42]LIANG J,CHEN S,WEI Z,et al.HAGDetector:Heterogeneous DGA domain name detection model [J].Computers & Security,2022,120:102803.
[43]CURTIN R R,GARDNER A B,GRZONKOWSKI S,et al.Detecting DGA domains with recurrent neural networks and side information [C]//Proceedings of the 14th International Confe-rence on Availability,Reliability and Security.2019:1-10.
[44]VINAYAKUMAR R,ALAZAB M,SRINIVASAN S,et al.AVisualized Botnet Detection System Based Deep Learning for the Internet of Things Networks of Smart Cities [J].IEEE Tran-sactions on Industry Applications,2020,56(4):4436-4456.
[45]NAMGUNG J,SON S,MOON Y S.Efficient Deep LearningModels for DGA Domain Detection [J].Secur Commun Networks,2021,2021:8887881-8887815.
[46]SUN X,TONG M,YANG J,et al.{HinDom}:A Robust Malicious Domain Detection System based on Heterogeneous Information Network with Transductive Classification [C]//Proceedings of the 22nd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2019).2019:399-412.
[47]FANG X,SUN X,YANG J,et al.Domain-Embeddings Based DGA Detection with Incremental Training Method [C]//Proceedings of the IEEE Symposium on Computers and Communications(ISCC).Rennes,2020:1-6.
[48]PECK J,NIE C,SIVAGURU R,et al.CharBot:A simple and effective method for evading DGA classifiers [J].IEEE Access,2019,7:91759-91771.
[49]YUN X,HUANG J,WANG Y,et al.Khaos:An adversarialneural network DGA with high anti-detection ability [J].IEEE Transactions on Information Forensics and Security,2019,15:2225-2240.
[50]CARLINI N,WAGNER D A.Towards Evaluating the Robustness of Neural Networks [C]//Proceedings of the IEEE Symposium on Security and Privacy.San Jose,2017:39-57.
[51]PAPERNOT N,MCDANIEL P D,GOODFELLOW I J,et al.Practical Black-Box Attacks against Machine Learning [C]//Proceedings of the the 2017 ACM on Asia Conference on Computer and Communications Security.Abu Dhabi,2017:506-519.
[52]HUANG H,MU J,GONG N Z,et al.Data Poisoning Attacks to Deep Learning Based Recommender Systems [C]//Proceedings of the 28th Annual Network and Distributed System Security Symposium.2021.
[53]ZHAO Z,CHEN X,XUAN Y,et al.DEFEAT:Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints [C]//Proceedings of the the IEEE/CVF Conference on Computer Vision and Pattern Recognition.New Orleans,2022:15213-15222.
[54]GU T,DOLAN-GAVITT B,GARG S.Badnets:Identifying vulnerabilities in the machine learning model supply chain [J].ar-Xiv:170806733,2017.
[55]ZHAI Y,YANG L,YANG J,et al.BadDGA:Backdoor Attack on LSTM-Based Domain Generation Algorithm Detector [J].Electronics,2023,12(3):736.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发