Authors
Enoch Agyepong1, William J. Buchanan2 and Kevin Jones3, 1Cyber Operations Team, UK, 2Edinburgh Napier University, UK and 3Airbus Group Innovations, UK
Abstract
In recent years, many malware writers have relied on Dynamic Domain Name Services (DDNS) to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. Findings from this study show that domain names made up of English characters “a-z” achieving a weighted score of < 45 are often associated with DGA. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.
Keywords
Domain Generated Algorithm, malicious domain names, Domain Name Frequency Analysis & malicious DNS