posted on 2024-07-25, 12:40authored byBogdan CebereBogdan Cebere, Jonathan Flueren, Silvia Sebastián, Daniel Plohmann, Christian Rossow
Successful malware campaigns rely on Command-and-Control (C2) infrastructure, enabling attackers to extract sensitive data and give instructions to bots. As a resilient mechanism to obtain C2 endpoints, attackers can employ Domain Generation Algorithms (DGAs), which automatically generate C2 domains instead of relying on static ones. Thus, researchers have proposed network-level detection approaches that reveal DGA usage by differentiating between non-DGA and generated domains. Recent approaches train machine learning (ML) models to recognize DGA domains using pattern recognition at the domain's character level. In this paper, we review network-level DGA detection from a meta-perspective. In particular, we survey 38 DGA detection papers in light of nine popular assumptions that are critical for the approaches to be practical. The assumptions range from foundational ones to assumptions about experiments and deployment of the detection systems. We then revisit if these assumptions hold, showing that most DGA detection approaches operate on a fragile basis. To prevent these issues in the future, we describe the technical security concepts underlying each assumption and indicate best practices for obtaining more reliable results.
History
Primary Research Area
Threat Detection and Defenses
Secondary Research Area
Secure Connected and Mobile Systems
Name of Conference
International Symposium on Research in Attacks Intrusions and Defenses (RAID)
BibTeX
@misc{Cebere:Flueren:Sebastián:Plohmann:Rossow:2024,
title = "Down to earth! Guidelines for DGA-based Malware Detection",
author = "Cebere, Bogdan" AND "Flueren, Jonathan" AND "Sebastián, Silvia" AND "Plohmann, Daniel" AND "Rossow, Christian",
year = 2024,
month = 7
}