Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.5.1141

DGA-DNS Similarity Analysis and APT Attack Detection Using N-gram  

Kim, Donghyeon (Ajou University)
Kim, Kangseok (Ajou University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.5, 2018 , pp. 1141-1151 More about this Journal
Abstract
In an APT attack, the communication stage between infected hosts and C&C(Command and Control) server is the key stage for intrusion into the attack target. Attackers can control multiple infected hosts by the C&C Server and direct intrusion and exploitation. If the C&C Server is exposed at this stage, the attack will fail. Therefore, in recent years, the Domain Generation Algorithm (DGA) has replaced DNS in C&C Server with a short time interval for making detection difficult. In particular, it is very difficult to verify and detect all the newly registered DNS more than 5 million times a day. To solve these problems, this paper proposes a model to judge DGA-DNS detection by the morphological similarity analysis of normal DNS and DGA-DNS, and to determine the sign of APT attack through it, then we verify its validity.
Keywords
Advanced Persistent Threat; Intrusion Detection; Domain Generation Algorithm; N-gram; Data Analysis;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 R. Sharifnya and M. Abadi, "DFBotKiller: domain-flux botnet detection based on the history of group activities and failures in DNS traffic," Digital Investigation, vol.12, pp.15-26, Mar. 2015.   DOI
2 Sun-Hee Lim, Jong-Hyun Kim and Byung-Gil Lee, "Detecting cyber threats domains based on DNS traffic," Journal of Korea Information and Communications Society, 37(11), pp.1082-1089, Nov. 2012.
3 J. Raghuram, D.J. Miller, and G. Kesidis, "Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling," Journal of Advanced Research, vol.5, no.4, pp.423-433, July 2014.   DOI
4 Z. Wei-wei, G. Jian, and L. Qian, "Detecting machine generated domain names based on morpheme features," Proceedings of the 1st International Workshop on Cloud Computing and Information Security (CCIS 2013), pp.408-411, Oct. 2013.
5 H. Crawford and J. Aycock, "Kwyjibo: automatic domain name generation," Software: Practice and Experience, vol.38, no.14, pp.1561-1567, Apr. 2008.   DOI
6 Hee-Jun Kwon, Sun-Woo Kim and Eul-Gyu Im, "An Malware classification system using multi n-gram," Journal of Security Engineering, 9(6), pp.531-542, Dec. 2012.
7 S. Marchal, J. Francois, R. State, and T. Engel, "Semantic based DNS forensics," IEEE International Workshop on Information Forensics and Security (WIFS 2012), pp.91-96, Dec. 2012. DOI: 10.1109/WIFS.2012.6412631   DOI
8 H. Wallach, "Topic modeling: beyond bag-of-words," Proceedings of the 23rd International Conference on Machine Learning (ICML 2006), pp.977-984, June 2006. DOI:10.1145/1143844.1143967   DOI
9 Hyun-il Lim, "Comparing binary programs using approximate matching of k-grams," Journal of KIISE: Computing Practices and Letters, 18(4), pp.288-299, Apr. 2012.
10 Myung-Gwon Hwang, Dong-Jin Choi, Hyo-Gap Lee, Chang Choi, Byeong-Kyu Ko and Pan-Koo Kim, "Domain n-gram construction and its application," Proceedings of the Korea Information Science Society Conference, 37(2C), pp.47-51, Nov. 2010.
11 Amazon Alexa Top Sites, https://aws.amazon.com/ko/alexa-top-sites/
12 A. Sood and S. Zeadally, "A taxonomy of domain-generation algorithms,"IEEE Security & Privacy Magazine, vol.14, no.4, pp.46-53, Aug. 2016.   DOI
13 P. Rascagneres, "CCleanup: A vast number of machines at risk," Cisco Talos Report, Sept. 2017. https://www.cecyf.fr/wp-content/uploads/2018/01/2018-RASCAGNERES-CCleaner.pdf
14 Sul-Hwa Im, Jong-Soo Kim, Jun-Keun Yang and Chae-Ho Lim, "APT status and new malicious code countermeasures," Review of KISSC(Korea Institute of Information Security and Cryptology), 24(2), pp. 63-72, Apr. 2014.
15 S. Hsieh, "Building threat intelligence to detect APTs in lateral movement," Trend Micro, July, 2013. https://blog.trendmicro.com/trendlabs-security-intelligence/building-threat-intelligence-to-detect-apts-in-lateral-movement/
16 Dae-Sung Moon, Han-Sung Lee and Ik-Kyun Kim, "Host based feature description method for detecting APT attack," Journal of The Korea Institute of Information Security and Cryptology, 24(5), pp. 839-850, Oct. 2014.   DOI
17 Jun-Woo Park, "Security trend analysis with DNS," Information Sharing Cyber Infringement Accident Seminar in Korea Internet and Security Agency, Sept. 2017. https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=26711
18 D. Truong and G. Cheng, "Detecting domain-flux botnet based on DNS traffic features in managed network," Security and Communication Networks, vol.9, no.14, pp.2338-2347, May 2016.   DOI