Predicting Domain Generation Algorithms with N-Gram Models

The botnet is a severe threat to computer networks, and the detection of botnet behaviors is an important research area of cyber security. Malware authors leverage the Domain Generation Algorithm (DGA) to generate bulks of pseudo-random domain names to connect to the Command and Control (C&C) server, which makes the detections and preventions extremely difficult. Previous work mostly defended against the DGA domains through pre-registering, sink-holeing or publishing blacklists after reverse engineering the malware. However, these approaches can be easily bypassed by malware authors. For most of the communications between the botnet and the C&C server, the first step is generally sending Domain Name System (DNS) request packets. Thus, an alternative approach was based on capturing and analyzing the DNS traffic and classifying the domains. Most of the previous work tried to cluster the domains, and these techniques involved the usage of contextual information. Thus, it takes a long time period to run the algorithms, which means these techniques can not be used in real-time detection. Compared with the traditional methods, recent methods attempt to predict whether the domain is DGA generated based solely on the domain name string. Nevertheless, these methods involved human engineered features that can be readily circumvented by the attackers. In this paper, we proposed a method that extracts the linguistic features as well as applies machine learning algorithms to classify the domain name. To verify the performance of the proposed method, we designed and implemented a botnet detection system, and trained and tested the model with real data. The results demonstrate that the proposed method is able to capture the suspicious packets and accurately classify the domains. We evaluated our system with real traffic, it can correctly classify the DGA domains in 95% of the cases. Furthermore, when detecting unknown DGA domains, our system achieved a 88.5% accuracy.