Detecting the DGA-Based Malicious Domain Names

摘要: To achieve the goals of concealment and migration, some Bot Nets, such as Conficker, Srizbis Torpig, use Domain Generation Algorithm (DGA) to produce a large number random domain names dynamically. Then small subset these would be selected for actual C&C. Compared with normal names, generated by DGA have significant difference in length, character frequency, etc. Current researches mainly clustering-classification methods Detect abnormal name. Some them NXDomain traffic clustering, other based on classification string features, distribution alphanumeric characters bigram. In fact, name has strict hierarchy each level particular regularities. this paper, hierarchical characteristic is introduced into detection process. We divide distinct levels calculate value separately. level, we entropy, bigram length detections. Because different efficiency levels, design weigh their efficiency. Finally, weighted average levels. Our experiments show that accuracy level-based method higher than 94 %.