CISPA
Browse
- No file added yet -

Down to earth! Guidelines for DGA-based Malware Detection

Download (2.62 MB)
preprint
posted on 2024-07-25, 12:40 authored by Bogdan CebereBogdan Cebere, Jonathan Flueren, Silvia Sebastián, Daniel Plohmann, Christian Rossow
Successful malware campaigns rely on Command-and-Control (C2) infrastructure, enabling attackers to extract sensitive data and give instructions to bots. As a resilient mechanism to obtain C2 endpoints, attackers can employ Domain Generation Algorithms (DGAs), which automatically generate C2 domains instead of relying on static ones. Thus, researchers have proposed network-level detection approaches that reveal DGA usage by differentiating between non-DGA and generated domains. Recent approaches train machine learning (ML) models to recognize DGA domains using pattern recognition at the domain's character level. In this paper, we review network-level DGA detection from a meta-perspective. In particular, we survey 38 DGA detection papers in light of nine popular assumptions that are critical for the approaches to be practical. The assumptions range from foundational ones to assumptions about experiments and deployment of the detection systems. We then revisit if these assumptions hold, showing that most DGA detection approaches operate on a fragile basis. To prevent these issues in the future, we describe the technical security concepts underlying each assumption and indicate best practices for obtaining more reliable results.

History

Primary Research Area

  • Threat Detection and Defenses

Secondary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

International Symposium on Research in Attacks Intrusions and Defenses (RAID)

BibTeX

@misc{Cebere:Flueren:Sebastián:Plohmann:Rossow:2024, title = "Down to earth! Guidelines for DGA-based Malware Detection", author = "Cebere, Bogdan" AND "Flueren, Jonathan" AND "Sebastián, Silvia" AND "Plohmann, Daniel" AND "Rossow, Christian", year = 2024, month = 7 }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC