Title :
Finding Domain-Generation Algorithms by Looking at Length Distribution
Author :
Mowbray, Miranda ; Hagen, Josiah
Author_Institution :
Security & Cloud Lab, HP, Bristol, UK
Abstract :
In order to detect malware that uses domain fluxing to circumvent blacklisting, it is useful to be able to discover new domain-generation algorithms (DGAs) that are being used to generate algorithmically-generated domains (AGDs). This paper presents a procedure for discovering DGAs from Domain Name Service (DNS) query data. It works by identifying client IP addresses with an unusual distribution of second-level string lengths in the domain names that they query. Running this fairly simple procedure on 5 days´ data from a large enterprise network uncovered 19 different DGAs, nine of which have not been identified as previously-known. Samples and statistical information about the DGA domains are given.
Keywords :
Internet; invasive software; query processing; statistical analysis; DGA; DNS query data; Domain Name Service query data; algorithmically-generated domains; client IP address; domain-generation algorithm; malware detection; second-level string length distribution; statistical information; time 5 day; Feature extraction; Frequency-domain analysis; IP networks; Indexes; Malware; Privacy; Servers; AGD; Big Data; DGA; Domain Name Service; Domain generation algorithm; botnet;
Conference_Titel :
Software Reliability Engineering Workshops (ISSREW), 2014 IEEE International Symposium on
Conference_Location :
Naples
DOI :
10.1109/ISSREW.2014.20
