MaldomDetector: A System for Detecting Algorithmically Generated Domain Names with Machine Learning

Ahmad Almashhadani*, Mustafa Kaiiali, Domhnall Carlin, Sakir Sezer

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

45 Citations (Scopus)
420 Downloads (Pure)

Abstract

One of the leading problems in cyber security at present is the unceasing emergence of sophisticated attacks, such as botnets and ransomware, that rely heavily on Command and Control (C&C) channels to conduct their malicious activities remotely. To avoid channel detection, attackers constantly try to create different covert communication techniques. One such technique is Domain Generation Algorithm (DGA), which allows malware to generate numerous domain names until it finds its corresponding C&C server. It is highly resilient to detection systems and reverse engineering, while allowing the C&C server to have several redundant domain names. This paper presents a malicious domain name detection system, MaldomDetector, which is based on machine learning. It is capable of detecting DGA-based communications and circumventing the attack before it makes any successful connection with the C&C server, using only domain name's characters. MaldomDetector uses a set of easy-to-compute and language-independent features in addition to a deterministic algorithm to detect malicious domains. The experimental results demonstrate that MaldomDetector can operate efficiently as a first alarm to detect DGA-based domains of malware families while maintaining high detection accuracy.
Original languageEnglish
JournalComputers & Security
Early online date12 Mar 2020
DOIs
Publication statusEarly online date - 12 Mar 2020

Fingerprint

Dive into the research topics of 'MaldomDetector: A System for Detecting Algorithmically Generated Domain Names with Machine Learning'. Together they form a unique fingerprint.

Cite this