Analysis and Detection on Abused Wildcard Domain Names Based on DNS Logs

AbstractBotnets and malware continue to avoid detection by static rule engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the “bagging” model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, $$F_1$$ F 1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large enterprise. In 4 h of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.

Download Full-text

Domain names (panel session, abstract only)

ACM SIGCOMM Computer Communication Review ◽

10.1145/318951.319009 ◽

1985 ◽

Vol 15 (4) ◽

pp. 73

Author(s):

Larry L. Peterson

Keyword(s):

Domain Names ◽

Panel Session

Download Full-text

DomainChroma: Building actionable threat intelligence from malicious domain names

Computers & Security ◽

10.1016/j.cose.2018.03.013 ◽

2018 ◽

Vol 77 ◽

pp. 138-161 ◽

Cited By ~ 2

Author(s):

Daiki Chiba ◽

Mitsuaki Akiyama ◽

Takeshi Yagi ◽

Kunio Hato ◽

Tatsuya Mori ◽

...

Keyword(s):

Domain Names ◽

Threat Intelligence

Download Full-text

icann’s New Generic Top-Level Domain Names Dispute Resolution Procedure Viewed Against the Protection of the Public Interest of the Internet Community: Litigation Regarding Health-Related Strings

The Law and Practice of International Courts and Tribunals ◽

10.1163/15718034-12341279 ◽

2014 ◽

Vol 13 (3) ◽

pp. 306-346 ◽

Cited By ~ 2

Author(s):

Simone Vezzani

Keyword(s):

Freedom Of Expression ◽

The Internet ◽

Commercial Arbitration ◽

Domain Names ◽

Internet Users ◽

Health Related ◽

Rules Of Procedure ◽

Rights Discourse ◽

The Right ◽

Human Rights Discourse

icann’s decision to liberalize the market for Internet Generic Top-Level Domain Names has been giving rise to many concerns, related in particular to the registration of health-related strings, which may favour fraud and the dissemination of misleading health information. However, a very sophisticated mechanism has been put into place by icann, intended to prevent the registration of strings which face opposition from a significant portion of the community they purportedly aim to serve, or which are contrary to generally accepted principles related to morality and public order. Tailored after the model of commercial arbitration, icann rules of procedure are noteworthy in that they give standing to all interested Internet users and to an Independent Objector. Though underlining some of its procedural deficiencies, this article emphasizes the importance of the icann mechanism in the “constitutionalization” of the Internet. It also discusses the contribution of icann expert panels to international human rights discourse, as illustrated by the expert panel determinations walking the tightrope between freedom of expression and the right to health.

Download Full-text