• DocumentCode
    187446
  • Title

    Finding Domain-Generation Algorithms by Looking at Length Distribution

  • Author

    Mowbray, Miranda ; Hagen, Josiah

  • Author_Institution
    Security & Cloud Lab, HP, Bristol, UK
  • fYear
    2014
  • fDate
    3-6 Nov. 2014
  • Firstpage
    395
  • Lastpage
    400
  • Abstract
    In order to detect malware that uses domain fluxing to circumvent blacklisting, it is useful to be able to discover new domain-generation algorithms (DGAs) that are being used to generate algorithmically-generated domains (AGDs). This paper presents a procedure for discovering DGAs from Domain Name Service (DNS) query data. It works by identifying client IP addresses with an unusual distribution of second-level string lengths in the domain names that they query. Running this fairly simple procedure on 5 days´ data from a large enterprise network uncovered 19 different DGAs, nine of which have not been identified as previously-known. Samples and statistical information about the DGA domains are given.
  • Keywords
    Internet; invasive software; query processing; statistical analysis; DGA; DNS query data; Domain Name Service query data; algorithmically-generated domains; client IP address; domain-generation algorithm; malware detection; second-level string length distribution; statistical information; time 5 day; Feature extraction; Frequency-domain analysis; IP networks; Indexes; Malware; Privacy; Servers; AGD; Big Data; DGA; Domain Name Service; Domain generation algorithm; botnet;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Software Reliability Engineering Workshops (ISSREW), 2014 IEEE International Symposium on
  • Conference_Location
    Naples
  • Type

    conf

  • DOI
    10.1109/ISSREW.2014.20
  • Filename
    6983873
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=187446