DGA-based malware detection using DNS traffic analysis

Abstract

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate with, and these IP addresses are usually obtained through DNS (Domain Name System) communications by sending domain names to DNS servers instead of using hard-coded IP addresses in order to avoid analysis and detection. In this process, malware usually uses DGA (Domain Generation Algorithm) to hide domain names of C & C servers and to make difficult to block C & C servers or domain names. Although DGA techniques have been studied extensively, most of previous studies have been based on the analysis of the domain names generated by DGA focusing on the characteristics of the strings. However, this kind of analysis methods has difficulties to detect some domain names generated by DGA with creative criteria. In this paper, we have conducted research to detect malicious code generated by DGA based on the value of flags included in the DNS communication process, deviating from the existing research focusing on domain name only. © 2019 Copyright held by the owner/author(s).