Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (8): 371-378.doi: 10.11896/jsjkx.230700189

• Information Security • Previous Articles     Next Articles

Survey of Detection Techniques for Domain Generation Algorithm

WANG Xuxian1,2, HUANG Jinhua1,2, ZHAI You3, LI Chu’nan4, WANG Yu3, ZHANG Yupeng4, ZHANG Yipeng5, YANG Liqun4, LI Zhoujun3   

  1. 1 Key Laboratory of Power Grid Automation Laboratory,China Southern Power Grid,Guangzhou 510080,China
    2 Electric Power Research Institute,Guangdong Power Grid Co.,Ltd.,Guangzhou 510080,China
    3 School of Computer Science and Engineering,Beihang University,Beijing 100191,China
    4 School of Cyber Science and Technology,Beihang University,Beijing 100191,China
    5 School of Information Science and Technology,North China University of Technology,Beijing 100144,China
  • Received:2023-07-25 Revised:2024-05-18 Online:2024-08-15 Published:2024-08-13
  • About author:WANG Xuxian,born in 1994,master.His main research interests include electric power system automation,its network security technology and so on.
    YANG Liqun,born in 1990,Ph.D,assistant professor.His main research intere-sts include network security and industrial control system security and so on.
  • Supported by:
    National Natural Science Foundation of China(U2333205,62302025,62276017),A fund project of State Grid Co., Ltd.Technology R & D Project(5108-202303439A-3-2-ZN),Key Laboratory of Power Grid Automation of China Southern Power Grid Co.,Ltd.(GDDKY2021KF03) and 2022 CCF-NSFOCUS Kun-Peng Scientific Research Fund(CCF-NSFOCUS202210).

PDF (PC)

391

Abstract: The C&C server is an intermediate server used by cyber attackers to control bots,and plays a key role in botnet.In order to enhance the concealment of the C&C server,cyber attackers use domain generation algorithms to hide the IP address of C&C server.In recent years,domain generation algorithm detection technology,as an important means of detecting botnets,has become a research hotspot.This paper first introduces the current development trend of cyber security and the topological structure of botnets.Secondly,the domain generation algorithm and the related dataset are introduced.Then,the classification of domain generation algorithm detection techniques is introduced,and these detection techniques are summarized.Finally,the pro-blems existing in the domain generation algorithm detection technology at the present stage are discussed,and the future research directions are prospected.

Key words: Botnet, Command and Control server, Domain generation algorithm, Domain generation algorithm detection, Cybersecurity threat

CLC Number: 

  • TP309
[1]ANTONAKAKIS M,APRIL T,BAILEY M,et al.Understan-ding the mirai botnet [C]//Proceedings of the 26th USENIX security symposium(USENIX Security 17).2017:1093-1110.
[2]SIGLER K.Crypto-jacking:how cyber-criminals are exploitingthe crypto-currency boom [J].Computer Fraud & Security,2018,2018(9):12-14.
[3]TEAM S R.Emotet exposed:looking inside highly destructive malware [J].Network Security,2019,2019(6):6-11.
[4]KESSEM L.The Necurs Botnet:A pandora’s box of malicious spam [EB/OL].https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/.
[5]HOLZ T,GORECKI C,RIECK K,et al.Measuring and detecting fast-flux service networks [C]//Proceedings of the Network and Distributed System Security Symposium(NDSS).2008.
[6]SOOD A K,ZEADALLY S.A taxonomy of domain-generation algorithms [J].IEEE Security & Privacy,2016,14(4):46-53.
[7]SAEED A M H,WANG D,ALNEDHARI H A M,et al.A Survey of Machine Learning and Deep Learning Based DGA Detection Techniques [C]//Proceedings of the Smart Computing and Communication-6th International Conference(SmartCom).2021:133-143.
[8]WANG Y,WANG Z,PAN R.Survey of DGA Domain NameDetection Based on Character Feature [J].Computer Science,2023,50(8):251-259.
[9]PLOHMANN D,YAKDAN K,KLATT M,et al.A comprehensive measurement study of domain generating malware [C]//Proceedings of the 25th USENIX Security Symposium(USENIX Security 16).2016:263-278.
[10]RAHIM A.cryptolocker-dga [EB/OL].https://github.com/azrilrahim/cryptolocker-dga.
[11]CHIU A,VILLEGAS A.Threat Spotlight:Dyre/Dyreza:AnAnalysis to Discover the DGA [EB/OL].https://blogs.cisco.com/security/talos/threat-spotlight-dyre.
[12]GEFFNER J.End-to-end analysis of a domain generating algorithm malware family [C]//Proceedings of the Black Hat USA.2013.
[13]BAUMGARTNER K,RAIU C.Sinkholing Volatile Cedar DGA Infrastructure [EB/OL].https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/.
[14]ZAGO M,PÉREZ M G,PÉREZ G M.UMUDGA:A dataset for profiling DGA-based botnet [J].Computers & Security,2020,92:101719.
[15]POCHAT V L,GOETHEM T V,TAJALIZADEHKHOOB S,et al.Tranco:A Research-Oriented Top Sites Ranking Hardened Against Manipulation [C]//Proceedings of the Annual Network and Distributed System Security Symposium San Diego.2019.
[16]XIE Q,TANG S,ZHENG X,et al.Building an Open,Robust,and Stable Voting-Based Domain Top List [C]//Proceedings of the USENIX Security Symposium.Boston,2022:625-642.
[17]WOODBRIDGE J,ANDERSON H S,AHUJA A,et al.Predicting domain generation algorithms with long short-term memory networks [J].arXiv:161100791,2016.
[18]TRAN D,MAC H,TONG V,et al.A LSTM based framework for handling multiclass imbalance in DGA botnet detection [J].Neurocomputing,2018,275:2401-2413.
[19]ZHOU S,LIN L,YUAN J,et al.Cnn-based dga detection with high coverage [C]//Proceedings of the 2019 IEEE International Conference on Intelligence and Security Informatics(ISI).2019:62-67.
[20]VRANKEN H,ALIZADEH H.Detection of DGA-GeneratedDomain Names with TF-IDF [J].Electronics,2022,11(3):414.
[21]SCHÜPPEN S,TEUBERT D,HERRMANN P,et al.{FAN-CI}:Feature-based Automated {NXDomain} Classification and Intelligence [C]//Proceedings of the 27th USENIX Security Symposium(USENIX Security 18).2018:1165-1181.
[22]SHAHZAD H,SATTAR A R,SKANDARANIYAM J.DGADomain Detection using Deep Learning [C]//Proceedings of the 5th IEEE International Conference on Cryptography,Security and Privacy.Zhuhai,2021:139-143.
[23]DAVUTH N,KIM S R.Classification of malicious domainnames using support vector machine and bi-gram method [J].International Journal of Security and Its Applications,2013,7(1):51-58.
[24]SIVAGURU R,CHOUDHARY C,YU B,et al.An Evaluation of DGA Classifiers [C]//Proceedings of the IEEE International Conference on Big Data Seattle.2018:5058-5067.
[25]BILGE L,KIRDA E,KRUEGEL C,et al.Exposure:Findingmalicious domains using passive DNS analysis [C]//Procee-dings of the Ndss.2011:1-17.
[26]ANTONAKAKIS M,PERDISCI R,NADJI Y,et al.From{Throw-Away} Traffic to Bots:Detecting the Rise of {DGA-Based} Malware [C]//Proceedings of the 21st USENIX Security Symposium(USENIX Security 12).2012:491-506.
[27]LIU Z,YUN X,ZHANG Y,et al.CCGA:Clustering and Capturing Group Activities for DGA-Based Botnets Detection [C]//Proceedings of the 2019 18th IEEE International Conference on Trust,Security and Privacy in Computing And Communications/13th IEEE International Conference on Big Data Science and Engineering.Rotorua,2019:136-143.
[28]POCHAT V L,HAMME T V,MAROOFI S,et al.A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints [C]//Proceedings of the Annual Network and Distributed System Security Symposium(NDSS).San Diego,2020.
[29]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-basedlearning applied to document recognition [J].Proceedings of the IEEE,1998,86(11):2278-2324.
[30]ELMAN J L.Finding structure in time [J].Cognitive Science,1990,14(2):179-211.
[31]LU Y,MAO Z,QIU Z.Review of Development and Applications of Blockchain Technology in the Field of Energy Internet of Things [J].Guangdong Electric Power,2021,34(7):1-21.
[32]WU J,LIANG L,JI X,et al.Infrared Image Fault Detection Method for Insulator Based on YOLOv3 Algorithm [J].Guangdong Electric Power,2019,33(9):77-84.
[33]XU C,SHEN J,DU X.Detection method of domain names ge-nerated by DGAs based on semantic representation and deep neural network [J].Computers & Security,2019,85:77-88.
[34]SHAHZAD H,SATTAR A R,SKANDARANIYAM J.DGADomain Detection using Deep Learning [C]//Proceedings of the 5th IEEE International Conference on Cryptography,Security and Privacy(CSP).2021:139-143.
[35]BO L,CHONG X,SHAOJIE C,et al.Fast-Flux Malicious Domain Name Detection Method Based on Multimodal Feature Fusion [J].Netinfo Security,2022,22(4):20-29.
[36]SIVAGURU R,PECK J,OLUMOFIN F G,et al.Inline Detection of DGA Domains Using Side Information [J].IEEE Access,2020,8:141910-141922.
[37]CHEN Y,ZHANG S,LIU J,et al.Towards a deep learning approach for detecting malicious domains [C]//Proceedings of the 2018 IEEE International Conference on Smart Cloud(SmartCloud).2018:190-195.
[38]VINAYAKUMAR R,SOMAN K,POORNACHANDRAN P,et al.DBD:Deep learning DGA-based botnet detection [J/OL].https://link.springer.com/chapter/10.1007/978-3-030-13057-2_6.
[39]HIGHNAM K,PUZIO D,LUO S,et al.Real-Time Detection of Dictionary DGA Network Traffic Using Deep Learning [J].SN Computer Science,2021,2(2):110.
[40]REN F,JIANG Z,WANG X,et al.A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network [J].Cybersecur,2020,3(1):4.
[41]TUAN T A,LONG H V,TANIAR D.On Detecting and Classifying DGA Botnets and their Families [J].Computers & Security,2022,113:102549.
[42]LIANG J,CHEN S,WEI Z,et al.HAGDetector:Heterogeneous DGA domain name detection model [J].Computers & Security,2022,120:102803.
[43]CURTIN R R,GARDNER A B,GRZONKOWSKI S,et al.Detecting DGA domains with recurrent neural networks and side information [C]//Proceedings of the 14th International Confe-rence on Availability,Reliability and Security.2019:1-10.
[44]VINAYAKUMAR R,ALAZAB M,SRINIVASAN S,et al.AVisualized Botnet Detection System Based Deep Learning for the Internet of Things Networks of Smart Cities [J].IEEE Tran-sactions on Industry Applications,2020,56(4):4436-4456.
[45]NAMGUNG J,SON S,MOON Y S.Efficient Deep LearningModels for DGA Domain Detection [J].Secur Commun Networks,2021,2021:8887881-8887815.
[46]SUN X,TONG M,YANG J,et al.{HinDom}:A Robust Malicious Domain Detection System based on Heterogeneous Information Network with Transductive Classification [C]//Proceedings of the 22nd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2019).2019:399-412.
[47]FANG X,SUN X,YANG J,et al.Domain-Embeddings Based DGA Detection with Incremental Training Method [C]//Proceedings of the IEEE Symposium on Computers and Communications(ISCC).Rennes,2020:1-6.
[48]PECK J,NIE C,SIVAGURU R,et al.CharBot:A simple and effective method for evading DGA classifiers [J].IEEE Access,2019,7:91759-91771.
[49]YUN X,HUANG J,WANG Y,et al.Khaos:An adversarialneural network DGA with high anti-detection ability [J].IEEE Transactions on Information Forensics and Security,2019,15:2225-2240.
[50]CARLINI N,WAGNER D A.Towards Evaluating the Robustness of Neural Networks [C]//Proceedings of the IEEE Symposium on Security and Privacy.San Jose,2017:39-57.
[51]PAPERNOT N,MCDANIEL P D,GOODFELLOW I J,et al.Practical Black-Box Attacks against Machine Learning [C]//Proceedings of the the 2017 ACM on Asia Conference on Computer and Communications Security.Abu Dhabi,2017:506-519.
[52]HUANG H,MU J,GONG N Z,et al.Data Poisoning Attacks to Deep Learning Based Recommender Systems [C]//Proceedings of the 28th Annual Network and Distributed System Security Symposium.2021.
[53]ZHAO Z,CHEN X,XUAN Y,et al.DEFEAT:Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints [C]//Proceedings of the the IEEE/CVF Conference on Computer Vision and Pattern Recognition.New Orleans,2022:15213-15222.
[54]GU T,DOLAN-GAVITT B,GARG S.Badnets:Identifying vulnerabilities in the machine learning model supply chain [J].ar-Xiv:170806733,2017.
[55]ZHAI Y,YANG L,YANG J,et al.BadDGA:Backdoor Attack on LSTM-Based Domain Generation Algorithm Detector [J].Electronics,2023,12(3):736.
[1] CHEN Liang, LI Zhihua. Abnormal Traffic Detection Method for Multi-stage Attacks of Internet of Things Botnets [J]. Computer Science, 2024, 51(8): 379-386.
[2] SUN Haidong, LIU Wanping, HUANG Dong. DGA Domain Name Detection Method Based on Similarity [J]. Computer Science, 2023, 50(6A): 220400122-6.
[3] LI Xiaodong, SONG Yuanfeng, LI Yuqiang. Domain-Flux Botnet Detection Method with Fusion of Character and Word Dual-channel [J]. Computer Science, 2023, 50(12): 337-342.
[4] ZHANG Xi-ran, LIU Wan-ping, LONG Hua. Dynamic Model and Analysis of Spreading of Botnet Viruses over Internet of Things [J]. Computer Science, 2022, 49(6A): 738-743.
[5] HU Peng-cheng, DIAO Li-li, YE Hua, YANG Yan-lan. DGA Domains Detection Based on Artificial and Depth Features [J]. Computer Science, 2020, 47(9): 311-317.
[6] PEI Lan-zhen, ZHAO Ying-jun, WANG Zhe, LUO Yun-qian. Comparison of DGA Domain Detection Models Using Deep Learning [J]. Computer Science, 2019, 46(5): 111-115.
[7] NIU Wei-na, ZHANG Xiao-song, YANG Guo-wu, ZHUO Zhong-liu, LU Jia-zhong. Modeling and Analysis of Botnet with Heterogeneous Infection Rate [J]. Computer Science, 2018, 45(7): 135-138.
[8] SONG Yuan-zhang. P2P Botnet Detection Based on Permutation Entropy and Multi-sensor Data Fusion on Decision Level [J]. Computer Science, 2016, 43(7): 141-146.
[9] CHEN Lian-dong, ZHANG Lei, QU Wu and KONG Ming. Distributed Real-time Botnet Detection Algorithm [J]. Computer Science, 2016, 43(3): 127-136.
[10] SHAO Xiu-li,GENG Mei-jie and JIANG Hong-ling. Realization of Bayesian Algorithm for Detecting Botnets Based on MapReduce [J]. Computer Science, 2014, 41(3): 153-158.
[11] ZHANG Yong-bin,LU Yin and ZHANG Yan-ning. Malware Domains Detection by Monitoring Group Activities [J]. Computer Science, 2013, 40(8): 146-148.
[12] . Botnet Propagation Model with Variable Infection Rate [J]. Computer Science, 2012, 39(11): 51-53.
[13] . Botnet Propagation Model with Two-factor on Scale-free Network [J]. Computer Science, 2012, 39(10): 78-81.
[14] HUANG Biao,TAN Liang. New Botnet Propagation Model with Inununity [J]. Computer Science, 2011, 38(Z10): 72-75.
[15] . [J]. Computer Science, 2009, 36(6): 101-104.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.