Abstract
In order to detect malware that uses domain fluxing to circumvent blacklisting, it is useful to be able to discover new domain-generation algorithms (DGAs) that are being used to generate algorithmically-generated domains (AGDs). This paper presents a procedure for discovering DGAs from Domain Name Service (DNS) query data. It works by identifying client IP addresses with an unusual distribution of second-level string lengths in the domain names that they query. Running this fairly simple procedure on 5 days' data from a large enterprise network uncovered 19 different DGAs, nine of which have not been identified as previously-known. Samples and statistical information about the DGA domains are given.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - IEEE 25th International Symposium on Software Reliability Engineering Workshops, ISSREW 2014 |
| Publisher | Institute of Electrical and Electronics Engineers (IEEE) |
| Pages | 395-400 |
| Number of pages | 6 |
| ISBN (Electronic) | 9781479973774 |
| DOIs | |
| Publication status | Published - 3 Nov 2014 |
| Event | 25th IEEE International Symposium on Software Reliability Engineering Workshops, ISSREW 2014 - Naples, Italy Duration: 3 Nov 2014 → 6 Nov 2014 |
Conference
| Conference | 25th IEEE International Symposium on Software Reliability Engineering Workshops, ISSREW 2014 |
|---|---|
| Country/Territory | Italy |
| City | Naples |
| Period | 3/11/14 → 6/11/14 |
Keywords
- AGD
- Big data
- Botnet
- DGA
- Domain generation algorithm
- Domain name service