DBD: deep learning DGA-based botnet detection

R. Vinayakumar, K. P. Soman, P. Poornachandran, M. Alazab, A. Jolfaei

Research output: Chapter in Book/Report/Conference proceedingChapterResearchpeer-review

Abstract

Botnets play an important role in malware distribution and they are widely used for spreading malicious activities in the Internet. The study of the literature shows that a large subset of botnets use DNS poisoning to spread out malicious activities and that there are various methods for their detection using DNS queries. However, since botnets generate domain names quite frequently, the resolution of domain names can be very time consuming. Hence, the detection of botnets can be extremely difficult. This chapter propose a novel deep learning framework to detect malicious domains generated by malicious Domain Generation Algorithms (DGA). The proposed DGA detection method, named, Deep Bot Detect (DBD) is able to evaluate data from large scale networks without reverse engineering or performing Non-Existent Domain (NXDomain) inspection. The framework analyzes domain names and categorizes them using statistical features, which are extracted implicitly through deep learning architectures. The framework is tested and deployed in our lab environment. The experimental results demonstrate the effectiveness of the proposed framework and shows that the proposed method has high accuracy and low false-positive rates. The proposed framework is a simple architecture that contains fewer learnable parameters compared to other character-based, short text classification models. Therefore, the proposed framework is faster to train and is less prone to over-fitting. The framework provides an early detection mechanism for the identification of Domain-Flux botnets propagating in a network and it helps keep the Internet clean from related malicious activities.
LanguageEnglish
Title of host publicationDeep learning applications for cyber security
EditorsMamoun Alazab, MingJian Tang
Place of PublicationSwitzerland
PublisherSpringer
Pages127-149
Number of pages23
ISBN (Electronic)9783030130572
ISBN (Print)9783030130565
DOIs
Publication statusPublished - Aug 2019

Publication series

NameAdvanced Sciences and Technologies for Security Applications
PublisherSpringer
ISSN (Print)1613-5113
ISSN (Electronic)2363-9466

Fingerprint

Internet
Reverse engineering
Inspection
Deep learning
Botnet
Fluxes
Malware

Keywords

  • botnet
  • deep learning
  • domain name generation
  • malware
  • cybercrime
  • cyber security
  • domain-flux
  • Keras embedding

Cite this

Vinayakumar, R., Soman, K. P., Poornachandran, P., Alazab, M., & Jolfaei, A. (2019). DBD: deep learning DGA-based botnet detection. In M. Alazab, & M. Tang (Eds.), Deep learning applications for cyber security (pp. 127-149). (Advanced Sciences and Technologies for Security Applications). Switzerland: Springer. https://doi.org/10.1007/978-3-030-13057-2_6
Vinayakumar, R. ; Soman, K. P. ; Poornachandran, P. ; Alazab, M. ; Jolfaei, A. / DBD : deep learning DGA-based botnet detection. Deep learning applications for cyber security. editor / Mamoun Alazab ; MingJian Tang. Switzerland : Springer, 2019. pp. 127-149 (Advanced Sciences and Technologies for Security Applications).
@inbook{87d1776b4af54385bc1ffb0b53549f5f,
title = "DBD: deep learning DGA-based botnet detection",
abstract = "Botnets play an important role in malware distribution and they are widely used for spreading malicious activities in the Internet. The study of the literature shows that a large subset of botnets use DNS poisoning to spread out malicious activities and that there are various methods for their detection using DNS queries. However, since botnets generate domain names quite frequently, the resolution of domain names can be very time consuming. Hence, the detection of botnets can be extremely difficult. This chapter propose a novel deep learning framework to detect malicious domains generated by malicious Domain Generation Algorithms (DGA). The proposed DGA detection method, named, Deep Bot Detect (DBD) is able to evaluate data from large scale networks without reverse engineering or performing Non-Existent Domain (NXDomain) inspection. The framework analyzes domain names and categorizes them using statistical features, which are extracted implicitly through deep learning architectures. The framework is tested and deployed in our lab environment. The experimental results demonstrate the effectiveness of the proposed framework and shows that the proposed method has high accuracy and low false-positive rates. The proposed framework is a simple architecture that contains fewer learnable parameters compared to other character-based, short text classification models. Therefore, the proposed framework is faster to train and is less prone to over-fitting. The framework provides an early detection mechanism for the identification of Domain-Flux botnets propagating in a network and it helps keep the Internet clean from related malicious activities.",
keywords = "botnet, deep learning, domain name generation, malware, cybercrime, cyber security, domain-flux, Keras embedding",
author = "R. Vinayakumar and Soman, {K. P.} and P. Poornachandran and M. Alazab and A. Jolfaei",
year = "2019",
month = "8",
doi = "10.1007/978-3-030-13057-2_6",
language = "English",
isbn = "9783030130565",
series = "Advanced Sciences and Technologies for Security Applications",
publisher = "Springer",
pages = "127--149",
editor = "Mamoun Alazab and MingJian Tang",
booktitle = "Deep learning applications for cyber security",

}

Vinayakumar, R, Soman, KP, Poornachandran, P, Alazab, M & Jolfaei, A 2019, DBD: deep learning DGA-based botnet detection. in M Alazab & M Tang (eds), Deep learning applications for cyber security. Advanced Sciences and Technologies for Security Applications, Springer, Switzerland, pp. 127-149. https://doi.org/10.1007/978-3-030-13057-2_6

DBD : deep learning DGA-based botnet detection. / Vinayakumar, R.; Soman, K. P.; Poornachandran, P.; Alazab, M.; Jolfaei, A.

Deep learning applications for cyber security. ed. / Mamoun Alazab; MingJian Tang. Switzerland : Springer, 2019. p. 127-149 (Advanced Sciences and Technologies for Security Applications).

Research output: Chapter in Book/Report/Conference proceedingChapterResearchpeer-review

TY - CHAP

T1 - DBD

T2 - deep learning DGA-based botnet detection

AU - Vinayakumar, R.

AU - Soman, K. P.

AU - Poornachandran, P.

AU - Alazab, M.

AU - Jolfaei, A.

PY - 2019/8

Y1 - 2019/8

N2 - Botnets play an important role in malware distribution and they are widely used for spreading malicious activities in the Internet. The study of the literature shows that a large subset of botnets use DNS poisoning to spread out malicious activities and that there are various methods for their detection using DNS queries. However, since botnets generate domain names quite frequently, the resolution of domain names can be very time consuming. Hence, the detection of botnets can be extremely difficult. This chapter propose a novel deep learning framework to detect malicious domains generated by malicious Domain Generation Algorithms (DGA). The proposed DGA detection method, named, Deep Bot Detect (DBD) is able to evaluate data from large scale networks without reverse engineering or performing Non-Existent Domain (NXDomain) inspection. The framework analyzes domain names and categorizes them using statistical features, which are extracted implicitly through deep learning architectures. The framework is tested and deployed in our lab environment. The experimental results demonstrate the effectiveness of the proposed framework and shows that the proposed method has high accuracy and low false-positive rates. The proposed framework is a simple architecture that contains fewer learnable parameters compared to other character-based, short text classification models. Therefore, the proposed framework is faster to train and is less prone to over-fitting. The framework provides an early detection mechanism for the identification of Domain-Flux botnets propagating in a network and it helps keep the Internet clean from related malicious activities.

AB - Botnets play an important role in malware distribution and they are widely used for spreading malicious activities in the Internet. The study of the literature shows that a large subset of botnets use DNS poisoning to spread out malicious activities and that there are various methods for their detection using DNS queries. However, since botnets generate domain names quite frequently, the resolution of domain names can be very time consuming. Hence, the detection of botnets can be extremely difficult. This chapter propose a novel deep learning framework to detect malicious domains generated by malicious Domain Generation Algorithms (DGA). The proposed DGA detection method, named, Deep Bot Detect (DBD) is able to evaluate data from large scale networks without reverse engineering or performing Non-Existent Domain (NXDomain) inspection. The framework analyzes domain names and categorizes them using statistical features, which are extracted implicitly through deep learning architectures. The framework is tested and deployed in our lab environment. The experimental results demonstrate the effectiveness of the proposed framework and shows that the proposed method has high accuracy and low false-positive rates. The proposed framework is a simple architecture that contains fewer learnable parameters compared to other character-based, short text classification models. Therefore, the proposed framework is faster to train and is less prone to over-fitting. The framework provides an early detection mechanism for the identification of Domain-Flux botnets propagating in a network and it helps keep the Internet clean from related malicious activities.

KW - botnet

KW - deep learning

KW - domain name generation

KW - malware

KW - cybercrime

KW - cyber security

KW - domain-flux

KW - Keras embedding

U2 - 10.1007/978-3-030-13057-2_6

DO - 10.1007/978-3-030-13057-2_6

M3 - Chapter

SN - 9783030130565

T3 - Advanced Sciences and Technologies for Security Applications

SP - 127

EP - 149

BT - Deep learning applications for cyber security

A2 - Alazab, Mamoun

A2 - Tang, MingJian

PB - Springer

CY - Switzerland

ER -

Vinayakumar R, Soman KP, Poornachandran P, Alazab M, Jolfaei A. DBD: deep learning DGA-based botnet detection. In Alazab M, Tang M, editors, Deep learning applications for cyber security. Switzerland: Springer. 2019. p. 127-149. (Advanced Sciences and Technologies for Security Applications). https://doi.org/10.1007/978-3-030-13057-2_6