A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Satoh,  Akihiro; Fukuda, Yutaka; Hayashi,  Toyohiro; Kitagata,  Gen

doi:https://doi.org/10.1109/OJCOMS.2020.3038704

WEKO3

lat lon distance

[[sub_check.contents]]

[[sub_radio.contents]]

Field does not validate

[[sub_attr.contents]]　

インデックスツリー

アイテム

{"_buckets": {"deposit": "d9673bbc-cc5d-42b3-a46b-08f68dec516a"}, "_deposit": {"created_by": 3, "id": "6817", "owners": [3], "pid": {"revision_id": 0, "type": "depid", "value": "6817"}, "status": "published"}, "_oai": {"id": "oai:kyutech.repo.nii.ac.jp:00006817", "sets": ["24"]}, "author_link": ["28956", "27948", "24131", "28960", "24134"], "item_21_biblio_info_6": {"attribute_name": "書誌情報", "attribute_value_mlt": [{"bibliographicIssueDates": {"bibliographicIssueDate": "2020-11-17", "bibliographicIssueDateType": "Issued"}, "bibliographicPageEnd": "1849", "bibliographicPageStart": "1837", "bibliographicVolumeNumber": "1", "bibliographic_titles": [{"bibliographic_title": "IEEE Open Journal of the Communications Society"}]}]}, "item_21_description_4": {"attribute_name": "抄録", "attribute_value_mlt": [{"subitem_description": "Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this article, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers.", "subitem_description_type": "Abstract"}]}, "item_21_description_60": {"attribute_name": "資源タイプ", "attribute_value_mlt": [{"subitem_description": "Journal Article", "subitem_description_type": "Other"}]}, "item_21_full_name_3": {"attribute_name": "著者別名", "attribute_value_mlt": [{"nameIdentifiers": [{"nameIdentifier": "27948", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "30609376", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000030609376/"}, {"nameIdentifier": "55437344000", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=55437344000"}, {"nameIdentifier": "0000-0003-3178-1041", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-3178-1041"}, {"nameIdentifier": "100000049", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/100000049_ja.html"}], "names": [{"name": "Satoh,  A."}]}, {"nameIdentifiers": [{"nameIdentifier": "24131", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "90372763", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000090372763/"}, {"nameIdentifier": "35811871400", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=35811871400"}, {"nameIdentifier": "0000-0003-0430-0871", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-0430-0871"}, {"nameIdentifier": "371", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html"}], "names": [{"name": "Fukuda, Y."}]}, {"nameIdentifiers": [{"nameIdentifier": "24134", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "60448438", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000060448438/"}, {"nameIdentifier": "35317401500", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=35317401500"}, {"nameIdentifier": "0000-0002-5721-6940", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0002-5721-6940"}, {"nameIdentifier": "372", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/372_ja.html"}], "names": [{"name": "Hayashi,  T."}]}, {"nameIdentifiers": [{"nameIdentifier": "28960", "nameIdentifierScheme": "WEKO"}], "names": [{"name": "Kitagata,  G."}]}]}, "item_21_link_62": {"attribute_name": "研究者情報", "attribute_value_mlt": [{"subitem_link_text": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html", "subitem_link_url": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html"}]}, "item_21_publisher_7": {"attribute_name": "出版者", "attribute_value_mlt": [{"subitem_publisher": "IEEE"}]}, "item_21_relation_12": {"attribute_name": "DOI", "attribute_value_mlt": [{"subitem_relation_type": "isIdenticalTo", "subitem_relation_type_id": {"subitem_relation_type_id_text": "https://doi.org/10.1109/OJCOMS.2020.3038704", "subitem_relation_type_select": "DOI"}}]}, "item_21_rights_13": {"attribute_name": "権利", "attribute_value_mlt": [{"subitem_rights": "This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/"}]}, "item_21_select_59": {"attribute_name": "査読の有無", "attribute_value_mlt": [{"subitem_select_item": "yes"}]}, "item_21_source_id_8": {"attribute_name": "ISSN", "attribute_value_mlt": [{"subitem_source_identifier": "2644-125X ", "subitem_source_identifier_type": "ISSN"}]}, "item_21_subject_16": {"attribute_name": "日本十進分類法", "attribute_value_mlt": [{"subitem_subject": "548", "subitem_subject_scheme": "NDC"}]}, "item_21_text_28": {"attribute_name": "論文ID（連携）", "attribute_value_mlt": [{"subitem_text_value": "10361277"}]}, "item_21_text_36": {"attribute_name": "著者所属", "attribute_value_mlt": [{"subitem_text_value": "Kyushu Institute of Technology"}, {"subitem_text_value": "Kyushu Institute of Technology"}, {"subitem_text_value": "Kyushu Institute of Technology"}, {"subitem_text_value": "Tohoku University"}]}, "item_21_text_63": {"attribute_name": "連携ID", "attribute_value_mlt": [{"subitem_text_value": "8538"}]}, "item_21_version_type_58": {"attribute_name": "著者版フラグ", "attribute_value_mlt": [{"subitem_version_resource": "http://purl.org/coar/version/c_970fb48d4fbd8a85", "subitem_version_type": "VoR"}]}, "item_creator": {"attribute_name": "著者", "attribute_type": "creator", "attribute_value_mlt": [{"creatorNames": [{"creatorName": "Satoh,  Akihiro"}], "nameIdentifiers": [{"nameIdentifier": "27948", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "30609376", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000030609376/"}, {"nameIdentifier": "55437344000", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=55437344000"}, {"nameIdentifier": "0000-0003-3178-1041", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-3178-1041"}, {"nameIdentifier": "100000049", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/100000049_ja.html"}]}, {"creatorNames": [{"creatorName": "Fukuda, Yutaka"}], "nameIdentifiers": [{"nameIdentifier": "24131", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "90372763", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000090372763/"}, {"nameIdentifier": "35811871400", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=35811871400"}, {"nameIdentifier": "0000-0003-0430-0871", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0003-0430-0871"}, {"nameIdentifier": "371", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/371_ja.html"}]}, {"creatorNames": [{"creatorName": "Hayashi,  Toyohiro"}], "nameIdentifiers": [{"nameIdentifier": "24134", "nameIdentifierScheme": "WEKO"}, {"nameIdentifier": "60448438", "nameIdentifierScheme": "e-Rad", "nameIdentifierURI": "https://nrid.nii.ac.jp/ja/nrid/1000060448438/"}, {"nameIdentifier": "35317401500", "nameIdentifierScheme": "Scopus著者ID", "nameIdentifierURI": "https://www.scopus.com/authid/detail.uri?authorId=35317401500"}, {"nameIdentifier": "0000-0002-5721-6940", "nameIdentifierScheme": "ORCiD", "nameIdentifierURI": "https://orcid.org/0000-0002-5721-6940"}, {"nameIdentifier": "372", "nameIdentifierScheme": "九工大研究者情報", "nameIdentifierURI": "https://hyokadb02.jimu.kyutech.ac.jp/html/372_ja.html"}]}, {"creatorNames": [{"creatorName": "Kitagata,  Gen"}], "nameIdentifiers": [{"nameIdentifier": "28956", "nameIdentifierScheme": "WEKO"}]}]}, "item_files": {"attribute_name": "ファイル情報", "attribute_type": "file", "attribute_value_mlt": [{"accessrole": "open_date", "date": [{"dateType": "Available", "dateValue": "2021-02-09"}], "displaytype": "detail", "download_preview_message": "", "file_order": 0, "filename": "OJCOMS.2020.3038704.pdf", "filesize": [{"value": "1.6 MB"}], "format": "application/pdf", "future_date_message": "", "is_thumbnail": false, "licensetype": "license_free", "mimetype": "application/pdf", "size": 1600000.0, "url": {"label": "OJCOMS.2020.3038704.pdf", "url": "https://kyutech.repo.nii.ac.jp/record/6817/files/OJCOMS.2020.3038704.pdf"}, "version_id": "d802417c-4aa2-4406-b351-3de11769e5e6"}]}, "item_keyword": {"attribute_name": "キーワード", "attribute_value_mlt": [{"subitem_subject": "Domain generation algorithm", "subitem_subject_scheme": "Other"}, {"subitem_subject": "domain name system", "subitem_subject_scheme": "Other"}, {"subitem_subject": "malware", "subitem_subject_scheme": "Other"}, {"subitem_subject": "network security", "subitem_subject_scheme": "Other"}]}, "item_language": {"attribute_name": "言語", "attribute_value_mlt": [{"subitem_language": "eng"}]}, "item_resource_type": {"attribute_name": "資源タイプ", "attribute_value_mlt": [{"resourcetype": "journal article", "resourceuri": "http://purl.org/coar/resource_type/c_6501"}]}, "item_title": "A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware", "item_titles": {"attribute_name": "タイトル", "attribute_value_mlt": [{"subitem_title": "A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware"}]}, "item_type_id": "21", "owner": "3", "path": ["24"], "permalink_uri": "http://hdl.handle.net/10228/00008022", "pubdate": {"attribute_name": "公開日", "attribute_value": "2021-02-09"}, "publish_date": "2021-02-09", "publish_status": "0", "recid": "6817", "relation": {}, "relation_version_is_last": true, "title": ["A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware"], "weko_shared_id": 3}

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

http://hdl.handle.net/10228/00008022

名前 / ファイル	ライセンス	アクション
OJCOMS.2020.3038704.pdf (1.6 MB)

Item type

学術雑誌論文 = Journal Article(1)

公開日

2021-02-09

タイトル

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

言語

eng

資源タイプ

資源タイプ識別子

http://purl.org/coar/resource_type/c_6501

資源タイプ

journal article

著者

Satoh, Akihiro

WEKO 27948
e-Rad 30609376
Scopus著者ID 55437344000
ORCiD 0000-0003-3178-1041
九工大研究者情報 100000049

	Satoh, Akihiro

Search repository

Fukuda, Yutaka

WEKO 24131
e-Rad 90372763
Scopus著者ID 35811871400
ORCiD 0000-0003-0430-0871
九工大研究者情報 371

	Fukuda, Yutaka

Search repository

Hayashi, Toyohiro

WEKO 24134
e-Rad 60448438
Scopus著者ID 35317401500
ORCiD 0000-0002-5721-6940
九工大研究者情報 372

	Hayashi, Toyohiro

Search repository

Kitagata, Gen

抄録

内容記述タイプ

Abstract

内容記述

Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this article, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers.

書誌情報

IEEE Open Journal of the Communications Society

巻 1, p. 1837-1849, 発行日 2020-11-17

出版者

IEEE

ISSN

収録物識別子タイプ

ISSN

収録物識別子

2644-125X

DOI

Versions

Ver.1

2023-05-15 13:28:38.929860

Show All versions

Cite as

エクスポート

OAI-PMH

JPCOAR
DublinCore
DDI

Other Formats

JSON
BIBTEX

インデックスリンク

インデックスツリー

アイテム

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

× Satoh, Akihiro

× Fukuda, Yutaka

× Hayashi, Toyohiro

× Kitagata, Gen

Versions

Share

Cite as

エクスポート