Finding domain-generation algorithms by looking at length distribution

Miranda Mowbray, Josiah Hagen

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

41 Citations (Scopus)

Abstract

In order to detect malware that uses domain fluxing to circumvent blacklisting, it is useful to be able to discover new domain-generation algorithms (DGAs) that are being used to generate algorithmically-generated domains (AGDs). This paper presents a procedure for discovering DGAs from Domain Name Service (DNS) query data. It works by identifying client IP addresses with an unusual distribution of second-level string lengths in the domain names that they query. Running this fairly simple procedure on 5 days' data from a large enterprise network uncovered 19 different DGAs, nine of which have not been identified as previously-known. Samples and statistical information about the DGA domains are given.

Original languageEnglish
Title of host publicationProceedings - IEEE 25th International Symposium on Software Reliability Engineering Workshops, ISSREW 2014
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages395-400
Number of pages6
ISBN (Electronic)9781479973774
DOIs
Publication statusPublished - 3 Nov 2014
Event25th IEEE International Symposium on Software Reliability Engineering Workshops, ISSREW 2014 - Naples, Italy
Duration: 3 Nov 20146 Nov 2014

Conference

Conference25th IEEE International Symposium on Software Reliability Engineering Workshops, ISSREW 2014
CountryItaly
CityNaples
Period3/11/146/11/14

Keywords

  • AGD
  • Big data
  • Botnet
  • DGA
  • Domain generation algorithm
  • Domain name service

Fingerprint Dive into the research topics of 'Finding domain-generation algorithms by looking at length distribution'. Together they form a unique fingerprint.

Cite this