Научная электронная библиотека ULRICH'S Periodicals Directory

Сибирский государственный университет
науки и технологий имени академика М.Ф. Решетнева

Сибирский аэрокосмический журнал
ISSN 2712-8970 (Print) ISSN 2782-5760 (on-line)

Сведения об образовательной организации

UDK 004.056.57 Doi: 10.31772/2712-8970-2021-22-3-414-424
Detection of information system objects interaction with DGA domains
Zhukov V. G., Pigalev Y. V.
Reshetnev Siberian State University of Science and Technology; 31, Krasnoyarsky rabochy Ave., Krasnoyarsk, 660037, Russian Federation
Currently, malware developers are actively using domain name generation technique called DGA to es-tablish communication between malware and its command centers. Domain name generation in accor-dance with the given algorithm allows malicious software to bypass information protection tools blacklists, thus making blacklists ineffective, and establish a communication channel to receive control commands and parameters, as well as to transfer information from the information system to external resources con-trolled by attackers. Thus, it is necessary to develop new approaches to DGA generated domain names de-tection using DNS traffic of an information system. During the research, the authors have developed a solution for detecting information objects interaction with DGA domains based on the use of machine learning. The detection of this interaction occurs in two stages. On the first stage the classification task is being solved for each DNS name from overall informa-tion system DNS stream. On the second stage, for each DNS name classified as DGA, corresponding DNS query is being enriched using data from external sources and a final decision about the malicious nature of the query to resolve this DNS name is being made, followed by a notification of a security administrator via e-mail channels. The paper describes the process of developing a classifier based on machine learning, defines the input data of the DNS name necessary for classification, presents the results of classifier training on a represen-tative set of test data. The logic of making a decision about the malicious nature of DNS queries has been substantiated. The developed solution was tested using an experimental stand. Some recommendations for correct classifier operation support are proposed. The application of the developed solution will make possible posteriori detection of information interac-tion of malicious software working on compromised information objects with the servers of attackers com-mand and control centers.
Keywords: information security, DNS, Domain Generation Algorithm
References

1.   Spamhaus Botnet Threat Report 2019. Available at: https://www.spamhaus.org/news/article/ 793/spamhaus-botnet-threat-report-2019 (accessed: 02.02.2020).

2.   Threat Brief: Understanding Domain Generation Algorithms (DGA). Available at: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/ (acces-sed: 05.08.2020).

3.   Sivaguru R., Choudhary C. An Evaluation of DGA Classifiers. IEEE International conference on Big Data, Seattle,  USA, 2018, P. 5058–5067.

4.   Scikit-learn: machine learning in Python. Available at: https://scikit-learn.org/stable (accessed:  03.01.2020).

5.   Li Y., Xiong K. Machine Learning Framework for Domain Generation Algorithm-Based Malware Detection. IEEE Access, 2019, P. 3276532782.

6.   Anderson H. S., Woodbridge J. DeepDGA: Adversarially – Tuned Domain Generation and Detection. Proceedings of the 2016 ACM Workshop and Artificial Intelligence and Security, 2016,  P. 13–21. 

7.   Anderson H. S., Woodbridge J. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Endgame, Inc, 2016, 13 p. 

8.   Gupta B., Sheng M. Machine Learning for Computer and Cyber Security: Principles, Algo-rithms, and Practices. Taylor and Francis Group, 2019, 364 p. 

9.   Alazab M., Tang M. Deep Learning Applications for Cyber Security. Springer Nature Switzerland, 2019, 246 p. 

10.   Top 10 million Websites based on Open data from Common Crawl & Common Search. Available at: https://www.domcop.com/top-10-million-websites (accessed 03.02.2020). 

11.   Bambenek Consulting. Available at: http://osint.bambenekconsulting.com/feeds/dga-feed.txt (accessed 16.01.2020). 

12.   Wang Z., Jia Z. A Detection Scheme for DGA Domain Names. SVM Proceedings of the 2018 International Conference on Mathematics, Modelling, Simulation and Algorithms, New York, USA, 2018, P. 257–263. 

13.   Bilge L., Kirda E. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. Proceedings of the Network and Distributed System Security Symposium, San Diego, USA, 2011, 17 p.

14.   Plohmann D., Yakdan K. A Comprehensive Measurement Study of Domain Generating Malware. Proceedings of the 25th USENIX Security Symposium, Austin, USA, 2016, P. 263–278. 

15. Why Machine Learning Models Degrade in Production. Available at: https://towardsdatascience.com/why-machine-learning-models-degrade-in-production-d0f2108e9214 (accessed 25.05.2020).


Zhukov Vadim Gennadevich – Cand. Sc., Associate Professor at the Department of Information Technology
Security, Reshetnev Siberian State University of Science and Technology. E-mail: zhukov.sibsau@gmail.com.

Pigalev Yan Vyacheslavovich – Master’s Degree Student; Reshetnev Siberian State University of Science and Technology. E-mail: pigalevyan1998@mail.ru.