Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

• https://www.sciencedirect.com/science/article/pii/S1084804521001545?dgcid=coauthor

Malware,  Domain Generation Algorithms,  Botnets, DNS, Algorithmically Generated
Domain

A crucial technical challenge for cybercriminals is to keep control over the
potentially millions of infected devices that build up their botnets, without
compromising the robustness of their attacks. A single, fixed C&C server, for
example, can be trivially detected either by binary or traffic analysis and
immediately sink-holed or taken-down by security researchers or law enforcement.
Botnets often use Domain Generation Algorithms (DGAs), primarily to evade
take-down attempts. DGAs can enlarge the lifespan of a malware campaign, thus
potentially enhancing its profitability. They can also contribute to hindering
attack accountability. In this work, we introduce HYDRAS, the most comprehensive
and representative dataset of Algorithmically-Generated Domains (AGD) available
to date. The dataset contains more than 100 DGA families, including both
real-world and adversarially designed ones. We analyse the dataset and discuss
the possibility of differentiating between benign requests (to real domains) and
malicious ones (to AGDs) in real-time. The simultaneous study of so many families
and variants introduces several challenges; nonetheless, it alleviates biases
found in previous literature employing small datasets which are frequently
overfitted, exploiting characteristic features of particular families that do not
generalise well. We thoroughly compare our approach with the current
state-of-the-art and highlight some methodological shortcomings in the actual
state of practice. The outcomes obtained show that our proposed approach
significantly outperforms the current state-of-the-art in terms of both
classification performance and efficiency.