Publication Details

Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains

CASINO, F.; LYKOUSAS, N.; HOMOLIAK, I.; PATSAKIS, C.; HERNANDEZ-CASTRO, J. Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains. JOURNAL OF NETWORK AND COMPUTER APPLICATIONS, 2021, vol. 2021, no. 190, p. 1-17. ISSN: 1084-8045.
Czech title
Real-Time Detekce algoritmicky generovaných doménových jmen
Type
journal article
Language
English
Authors
CASINO, F.
LYKOUSAS, N.
Homoliak Ivan, doc. Ing., Ph.D. (DITS)
PATSAKIS, C.
HERNANDEZ-CASTRO, J.
URL
Keywords

Malware,  Domain Generation Algorithms,  Botnets, DNS, Algorithmically Generated Domain

Abstract

A crucial technical challenge for cybercriminals is to keep control over the potentially millions of infected devices that build up their botnets, without compromising the robustness of their attacks. A single, fixed C&C server, for example, can be trivially detected either by binary or traffic analysis and immediately sink-holed or taken-down by security researchers or law enforcement. Botnets often use Domain Generation Algorithms (DGAs), primarily to evade take-down attempts. DGAs can enlarge the lifespan of a malware campaign, thus potentially enhancing its profitability. They can also contribute to hindering attack accountability. In this work, we introduce HYDRAS, the most comprehensive and representative dataset of Algorithmically-Generated Domains (AGD) available to date. The dataset contains more than 100 DGA families, including both real-world and adversarially designed ones. We analyse the dataset and discuss the possibility of differentiating between benign requests (to real domains) and malicious ones (to AGDs) in real-time. The simultaneous study of so many families and variants introduces several challenges; nonetheless, it alleviates biases found in previous literature employing small datasets which are frequently overfitted, exploiting characteristic features of particular families that do not generalise well. We thoroughly compare our approach with the current state-of-the-art and highlight some methodological shortcomings in the actual state of practice. The outcomes obtained show that our proposed approach significantly outperforms the current state-of-the-art in terms of both classification performance and efficiency.

Published
2021
Pages
1–17
Journal
JOURNAL OF NETWORK AND COMPUTER APPLICATIONS, vol. 2021, no. 190, ISSN 1084-8045
DOI
UT WoS
000685542600005
BibTeX
@article{BUT175771,
  author="CASINO, F. and LYKOUSAS, N. and HOMOLIAK, I. and PATSAKIS, C. and HERNANDEZ-CASTRO, J.",
  title="Intercepting Hail Hydra: Real-Time Detection of Algorithmically Generated Domains",
  journal="JOURNAL OF NETWORK AND COMPUTER APPLICATIONS",
  year="2021",
  volume="2021",
  number="190",
  pages="1--17",
  doi="10.1016/j.jnca.2021.103135",
  issn="1084-8045",
  url="https://www.sciencedirect.com/science/article/pii/S1084804521001545?dgcid=coauthor"
}
Back to top