Browse > Article
http://dx.doi.org/10.33778/kcsa.2022.22.5.145

DGA-based Botnet Detection Technology using N-gram  

Jung Il Ok (고려대학교/정보보호학과)
Shin Deok Ha (경희대학교/응용수학과)
Kim Su Chul (숭실대학교/IT정책경영학과)
Lee Rock Seok (전남대학교/정보보호협동과정)
Publication Information
Convergence Security Journal / v.22, no.5, 2022 , pp. 145-154 More about this Journal
Abstract
Recently, the widespread proliferation and high sophistication of botnets are having serious consequences not only for enterprises and users, but also for cyber warfare between countries. Therefore, research to detect botnets is steadily progressing. However, the DGA-based botnet has a high detection rate with the existing signature and statistics-based technology, but also has a high limit in the false positive rate. Therefore, in this paper, we propose a detection model using text-based n-gram to detect DGA-based botnets. Through the proposed model, the detection rate, which is the limit of the existing detection technology, can be increased and the false positive rate can also be minimized. Through experiments on large-scale domain datasets and normal domains used in various DGA botnets, it was confirmed that the performance was superior to that of the existing model. It was confirmed that the false positive rate of the proposed model is less than 2 to 4%, and the overall detection accuracy and F1 score are both 97.5%. As such, it is expected that the detection and response capabilities of DGA-based botnets will be improved through the model proposed in this paper.
Keywords
DGA; Botnet; intrusion detection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Singh, M. Singh, and S. Kaur, "Issues and challenges in DNS based botnet detection: a survey", Computers & Security, vol. 86, pp. 28-52, 2019.    DOI
2 D. T. Truong, & G. Cheng, "Detecting domain-flux botnet based on DNS traffic features in managed network". Security Comm. Networks 2016 (Vol. 9, pp. 2338-2347). John Wiley & Sons, 2016. 
3 Y. Qiao, B. Zhang, W. Zhang, A. K. Sangaiah, & H. Wu, "DGA domain name classification method based on long short-term memory with attention mechanism", Applied Science, (2019(9), 4205. https://doi.org/10.3390/ app9204205, 2019.    DOI
4 H. Zhao, Z. Chang, G. Bao & X. Zeng, "Malicious domain names detection algorithm based on N-Gram", Journal of Computer Networks and Communications 2019, 9. Hindawi. https://doi.org/10.1155/2019/4612474, 2019.    DOI
5 D. P. Hostiadi, W. Wibisono & T. Ahmad, "B-corr model for bot group activity detection based on network flows traffic analysis". KSII Transactions on Internet and Information Systems, 10(2020), 4176-4197. https://doi.org/10.3837/tiis.2020.10.014 14, 2020.    DOI
6 M. Willett, "Lessons of the SolarWinds hack. Survival", 63(2), 7-26, 2021.    DOI
7 S. T. Eun, "Cyber Warfare in the Russo-Ukrainian War: Assessment and Implications". IFANS FOCUS, 2022(16), 1-4, 2022. 
8 손현우, 이승진, 허원석. "러시아 우크라이나 간 사이버 전장 내 공격 유형 분석". 한국정보과학회 학술발표논문집, 2160-2162, 2022. 
9 M. Feily, A. Shahrestani, & S. Ramadass, "A survey of botnet and botnet detection". In 2009 Third International Conference on Emerging Security Information, Systems and Technologies (pp. 268-273). IEEE, 2009. 
10 Y. Zhou, Q. S. Li, Q. Miao, & K. Yim, "DGA-Based Botnet Detection Using DNS Traffic". J. Internet Serv. Inf. Secur, 3(3/4), 116-123, 2013. 
11 M. Singh, M. Singh, and S. Kaur, "Issues and challenges in DNS based botnet detection: a survey," Computers & Security, vol. 86, pp. 28-52, 2019.    DOI
12 X. D. Hoang, & X. H. Vu, "An improved model for detecting DGA botnets using random forest algorithm". Information Security Journal: A Global Perspective, 31(4), 441-450, 2022.    DOI
13 D. Tran, H. Mac, V. Tong, H. A. Tran, & L. G. Nguyen, "A LSTM based framework for handling multiclass imbalance in DGA botnet detection." Neurocomputing, 275, 2401-2413, 2018.    DOI
14 H. Gohiya, H .Lohiya, & K. Patidar, "A Survey of Xgboost system". Int. J. Adv. Technol. Eng. Res, 8, 25-30, 2018. 
15 Netlab 360. (n.d.). DGA Families. Available online: https://data.netlab.360.com/dga/(accessed on 10 August 2022). 
16 DN Pedia. (n.d.). Top Alexa one million domains. CodePunch Solutions. https://dnpedia.com/tlds/topm.php (accessed on 10 August 2022). 
17 C. Yin, Y. Zhu, S. Liu, J. Fei & H. Zhang, "An enhancing framework for botnet detection using generative adversarial networks". In 2018 International Conference on Artificial Intelligence and Big Data (ICAIBD) (pp. 228-234). IEEE, 2018.
18 I. Ali, A. I. A. Ahmed, A. Almogren et al., "Systematic literature review on IoT-based botnet attack", IEEE Access, vol. 8, pp. 212220-212232, 2020.    DOI