TY - GEN

T1 - AI-based detection of DNS misuse for network security

AU - Chiscop, Irina

AU - Soro, Francesca

AU - Smith, Paul

PY - 2022/12/9

Y1 - 2022/12/9

N2 - Threat hunting and malware prediction are critical activities to ensure network and system security. These tasks are difficult due to increasing numbers of sophisticated malware families. Automatically detecting anomalous Domain Name System (DNS) queries in operational traffic facilitates the detection of new malware infections, significantly contributing to the work of security practitioners. In this paper, we present two AI-based Domain Generation Algorithm (DGA) detection and classification techniques - a feature-based one, leveraging classic Machine Learning algorithms and a featureless one, based on Deep Learning - specifically intended to aid in this task. Both techniques are designed to be integrated in operational environments, dealing with hundreds of thousands to millions of new malware samples per day. We report the implementation details, the classification performance, the advantages and shortcomings for both techniques, as well as experiences from the deployment of this system in an industrial environment. We show that both techniques reach more than the 90% of accuracy in the case of binary DGA detection, with a slight degradation in performance in the multi-class classification case, in which the results strongly depend on the malware type.

AB - Threat hunting and malware prediction are critical activities to ensure network and system security. These tasks are difficult due to increasing numbers of sophisticated malware families. Automatically detecting anomalous Domain Name System (DNS) queries in operational traffic facilitates the detection of new malware infections, significantly contributing to the work of security practitioners. In this paper, we present two AI-based Domain Generation Algorithm (DGA) detection and classification techniques - a feature-based one, leveraging classic Machine Learning algorithms and a featureless one, based on Deep Learning - specifically intended to aid in this task. Both techniques are designed to be integrated in operational environments, dealing with hundreds of thousands to millions of new malware samples per day. We report the implementation details, the classification performance, the advantages and shortcomings for both techniques, as well as experiences from the deployment of this system in an industrial environment. We show that both techniques reach more than the 90% of accuracy in the case of binary DGA detection, with a slight degradation in performance in the multi-class classification case, in which the results strongly depend on the malware type.

U2 - 10.1145/3565009.3569523

DO - 10.1145/3565009.3569523

M3 - Conference contribution/Paper

T3 - NativeNI 2022 - Proceedings of the 1st International Workshop on Native Network Intelligence, Part of CoNEXT 2022

SP - 27

EP - 32

BT - NativeNI 2022 - Proceedings of the 1st International Workshop on Native Network Intelligence, Part of CoNEXT 2022

PB - Association for Computing Machinery (ACM)

CY - New York

T2 - 1st International Workshop on Native Network Intelligence

Y2 - 9 December 2022

ER -