Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

D3N: DGA Detection with Deep-Learning Through NXDomain

  • Conference paper
  • First Online:
Knowledge Science, Engineering and Management (KSEM 2019)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 11775))

  • 3005 Accesses

Abstract

Modern malware typically uses domain generation algorithm (DGA) to avoid blacklists. However, it still leaks trace by causing excessive Non-existent domain responses when trying to contact with the command and control (C&C) servers. In this paper, we propose a novel system named D3N to detect DGA domains by analyzing NXDomains with deep learning methods. The experiments show that D3N yields 99.7% TPR and 1.9% FPR, outperforming FANCI in both accuracy and efficiency. Besides, our real-world evaluation in a large-scale network demonstrates that D3N is robust in different networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Alexa.com: Alexa Top 500 Global Sites (2019). https://www.alexa.com/topsites

  2. Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pp. 13–21. ACM (2016)

    Google Scholar 

  3. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)

    Google Scholar 

  4. Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Presented as Part of the 21st \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 12), pp. 491–506 (2012)

    Google Scholar 

  5. Khalil, I., Yu, T., Guan, B.: Discovering malicious domains through passive DNS data graph analysis. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 663–674. ACM (2016)

    Google Scholar 

  6. Lee, J., Lee, H.: GMAD: graph-based malware activity detection by DNS traffic analysis. Comput. Commun. 49, 33–47 (2014)

    Article  Google Scholar 

  7. Lin Jin, H.S.: CDN list [Data set] (2019). https://doi.org/10.5281/zenodo.842988

  8. Lison, P., Mavroeidis, V.: Automatic detection of malware-generated domains with recurrent neural models. arXiv preprint arXiv:1709.07102 (2017)

  9. Netgate.com: Services DNS Configuring Dynamic DNS pfSense Documentation (2019). https://www.netgate.com/docs/pfsense/dns/dynamic-dns.html

  10. Passivedns.cn: Sign In-passiveDNS (2019). http://netlab.360.com/

  11. Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 16), pp. 263–278 (2016)

    Google Scholar 

  12. Publicsuffix.org: Public suffix list. https://publicsuffix.org/. Accessed 7 Jun 2019

  13. Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: \(\{\)FANCI\(\}\): feature-based automated NXdomain classification and intelligence. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1165–1181 (2018)

    Google Scholar 

  14. Woodbridge, J., Anderson, H.S., Ahuja, A., Grant, D.: Predicting domain generation algorithms with long short-term memory networks. arXiv preprint arXiv:1611.00791 (2016)

Download references

Acknowledgment

We thank Chenxi Li, Shize Zhang, Xinmu Wang and Shuai Wang for constructive comments on experiments, valuable advice on data processing and parameters tuning. Additionally, we thank DGArchive and Information Technology Center of Tsinghua University for authorizing the use of their data in our experiments. This work is supported by the National Key Research and Development Program of China under Grant No.2017YFB0803004.

Author information

Authors and Affiliations

  1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing, China

    Mingkai Tong, Xiaoqing Sun, Jiahai Yang, Hui Zhang & Shuang Zhu

  2. National Computer Network Emergency Response Center, Beijing, China

    Xinran Liu

  3. China Electronics Cyberspace Great Wall Co., Ltd, Beijing, China

    Heng Liu

Authors
  1. Mingkai Tong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoqing Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiahai Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shuang Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Xinran Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Heng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiaoqing Sun .

Editor information

Editors and Affiliations

  1. University of Piraeus, Piraeus, Greece

    Christos Douligeris

  2. University of Vienna, Vienna, Austria

    Dimitris Karagiannis

  3. University of Piraeus, Piraeus, Greece

    Dimitris Apostolou

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tong, M. et al. (2019). D3N: DGA Detection with Deep-Learning Through NXDomain. In: Douligeris, C., Karagiannis, D., Apostolou, D. (eds) Knowledge Science, Engineering and Management. KSEM 2019. Lecture Notes in Computer Science(), vol 11775. Springer, Cham. https://doi.org/10.1007/978-3-030-29551-6_41

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29551-6_41

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29550-9

  • Online ISBN: 978-3-030-29551-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation