Title: Entropy and likelihood-based detection of DGA generated domain names and their families

Authors: Ashutosh Bhatia; Deepak Kumar Vishvakarma; Rekha Kaushik; Ankit Agrawal

Addresses: Department of Computer Science, BITS, Pilani, Rajasthan, India ' Center for Artificial Intelligence and Robotics (CAIR), DRDO, Bangalore, Karnataka, India ' Department of Electronics and Communication Engineering, Maulana Azad National Institute of Technology, Bhopal, Madhya Pradesh, India ' Department of Computer Science, BITS, Pilani, Rajasthan, India

Abstract: Botnet is a network of hosts (bots) infected by a common malware and controlled by command and control (C&C) servers. Once the malware is found in an infected host, it is easy to get the domain of its C&C server and block it. To counter such detection, many malware families use probabilistic algorithms, known as domain generation algorithms (DGAs), to generate domain names for the C&C servers. In this paper, we propose a probabilistic approach to identify the domain names that are likely to be generated by malware using DGAs. The proposed solution is based on the hypothesis that the entropy of human-generated domain names should be lesser than the entropy of DGA generated domain names. Results show that the percentage of false negatives in the detection of DGA generated domain names using the proposed method is less than 29% across 39 DGA families considered by us in our experimentation.

Keywords: domain name system; domain generations algorithms; botnets; command and control servers; C&C server.

DOI: 10.1504/IJSN.2022.125512

International Journal of Security and Networks, 2022 Vol.17 No.3, pp.147 - 192

Received: 21 Jul 2021
Accepted: 21 Jul 2021
Published online: 13 Sep 2022 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article