Domain generation algorithm - Revision history

RandFreeman: Adding local short description: "Algorithm used to generate large numbers of domain names", overriding Wikidata description "family of algorithms used by malware to obfuscate their original Command & Control servers' IP address"

2025-06-25T00:03:59Z

Adding local short description: "Algorithm used to generate large numbers of domain names", overriding Wikidata description "family of algorithms used by malware to obfuscate their original Command & Control servers' IP address"

← Previous revision		Revision as of 00:03, 25 June 2025
Line 1:		Line 1:
			{{Short description\|Algorithm used to generate large numbers of domain names}}
	'''Domain generation algorithms''' (DGA) are algorithms seen in various families of [[malware]] that are used to periodically generate a large number of [[Domain Name System\|domain names]] that can be used as rendezvous points with their [[command and control (malware)\|command and control servers]]. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down [[botnet]]s, since infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of [[public-key cryptography]] in malware code makes it unfeasible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not [[digital signature\|signed]] by the malware controllers.		'''Domain generation algorithms''' (DGA) are algorithms seen in various families of [[malware]] that are used to periodically generate a large number of [[Domain Name System\|domain names]] that can be used as rendezvous points with their [[command and control (malware)\|command and control servers]]. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down [[botnet]]s, since infected computers will attempt to contact some of these domain names every day to receive updates or commands. The use of [[public-key cryptography]] in malware code makes it unfeasible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not [[digital signature\|signed]] by the malware controllers.

Citation bot: Alter: title, template type. Add: chapter-url, chapter. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | #UCB_CommandLine

2023-07-22T00:17:24Z

Alter: title, template type. Add: chapter-url, chapter. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | #UCB_CommandLine

← Previous revision		Revision as of 00:17, 22 July 2023
Line 29:		Line 29:

	==Detection==		==Detection==
	DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019.</ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last1=Kührer\|first1=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite arXiv\|last1=Curtin\|first1=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last1=Pereira\|first1=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arXiv\|last1=Woodbridge\|first1=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite ~~journal~~\|last1=Yu\|first1=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|~~date~~=2018\|~~title~~=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf~~\|journal=2018 International Joint Conference on Neural Networks (IJCNN)~~\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6\|s2cid=52398612}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite ~~journal~~\|last1=Koh\|first1=Joewie J.\|last2=Rhodes\|first2=Barton\|~~date~~=2018\|~~title~~=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705~~\|journal=2018 IEEE International Conference on Big Data (Big Data)~~\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6\|s2cid=53793204}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arXiv\|last1=Anderson\|first1=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite arXiv\|last1=Sidi\|first1=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>		DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019.</ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last1=Kührer\|first1=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite arXiv\|last1=Curtin\|first1=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last1=Pereira\|first1=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arXiv\|last1=Woodbridge\|first1=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite book\|last1=Yu\|first1=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|title=2018 International Joint Conference on Neural Networks (IJCNN) \|chapter=Character Level based Detection of DGA Domain Names \|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6\|s2cid=52398612}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite book\|last1=Koh\|first1=Joewie J.\|last2=Rhodes\|first2=Barton\|title=2018 IEEE International Conference on Big Data (Big Data) \|chapter=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings \|date=2018\|arxiv=1811.08705\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6\|s2cid=53793204}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arXiv\|last1=Anderson\|first1=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite arXiv\|last1=Sidi\|first1=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>

	==See also==		==See also==

Citation bot: Alter: template type. Add: s2cid, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by AManWithNoPlan | #UCB_webform 751/1776

2022-01-29T18:29:44Z

Alter: template type. Add: s2cid, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by AManWithNoPlan | #UCB_webform 751/1776

← Previous revision		Revision as of 18:29, 29 January 2022
Line 9:		Line 9:
	Recently, the technique has been adopted by other malware authors. According to network security firm [[Damballa (company)\|Damballa]], the top-5 most prevalent DGA-based [[crimeware]] families are Conficker, Murofet, BankPatch, Bonnana and Bobax as of 2011.<ref>{{cite web\|url=https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|archive-url=https://web.archive.org/web/20160403200600/https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|url-status=dead\|archive-date=2016-04-03\|title=Top-5 Most Prevalent DGA-based Crimeware Families\|page=4\|publisher=[[Damballa (company)\|Damballa]]}}</ref>		Recently, the technique has been adopted by other malware authors. According to network security firm [[Damballa (company)\|Damballa]], the top-5 most prevalent DGA-based [[crimeware]] families are Conficker, Murofet, BankPatch, Bonnana and Bobax as of 2011.<ref>{{cite web\|url=https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|archive-url=https://web.archive.org/web/20160403200600/https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|url-status=dead\|archive-date=2016-04-03\|title=Top-5 Most Prevalent DGA-based Crimeware Families\|page=4\|publisher=[[Damballa (company)\|Damballa]]}}</ref>

	DGA can also combine words from a [[dictionary]] to generate domains. These dictionaries can be hard-coded in malware or taken from a publicly accessible source.<ref>{{Cite journal\|~~last~~=Plohmann\|~~first~~=Daniel\|last2=Yakdan\|first2=Khaled\|last3=Klatt\|first3=Michael\|last4=Bader\|first4=Johannes\|last5=Gerhards-Padilla\|first5=Elmar\|date=2016\|title=A Comprehensive Measurement Study of Domain Generating Malware\|url=https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf\|journal=25th USENIX Security Symposium\|pages=263–278}}</ref> Domains generated by dictionary DGA tend to be more difficult to detect due to their similarity to legitimate domains.		DGA can also combine words from a [[dictionary]] to generate domains. These dictionaries can be hard-coded in malware or taken from a publicly accessible source.<ref>{{Cite journal\|last1=Plohmann\|first1=Daniel\|last2=Yakdan\|first2=Khaled\|last3=Klatt\|first3=Michael\|last4=Bader\|first4=Johannes\|last5=Gerhards-Padilla\|first5=Elmar\|date=2016\|title=A Comprehensive Measurement Study of Domain Generating Malware\|url=https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf\|journal=25th USENIX Security Symposium\|pages=263–278}}</ref> Domains generated by dictionary DGA tend to be more difficult to detect due to their similarity to legitimate domains.

	== Example ==		== Example ==
Line 29:		Line 29:

	==Detection==		==Detection==
	DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019.</ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|~~last~~=Kührer\|~~first~~=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite ~~arxiv~~\|~~last~~=Curtin\|~~first~~=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|~~last~~=Pereira\|~~first~~=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite ~~arxiv~~\|~~last~~=Woodbridge\|~~first~~=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|~~last~~=Yu\|~~first~~=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|~~last~~=Koh\|~~first~~=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite ~~arxiv~~\|~~last~~=Anderson\|~~first~~=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite ~~arxiv~~\|~~last~~=Sidi\|~~first~~=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>		DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019.</ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last1=Kührer\|first1=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite arXiv\|last1=Curtin\|first1=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last1=Pereira\|first1=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arXiv\|last1=Woodbridge\|first1=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last1=Yu\|first1=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6\|s2cid=52398612}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last1=Koh\|first1=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6\|s2cid=53793204}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arXiv\|last1=Anderson\|first1=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite arXiv\|last1=Sidi\|first1=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>

	==See also==		==See also==

Tom.Reding: Enum 1 author/editor WL; WP:GenFixes on

2020-12-18T23:43:49Z

Enum 1 author/editor WL; WP:GenFixes on

← Previous revision		Revision as of 23:43, 18 December 2020
Line 29:		Line 29:

	==Detection==		==Detection==
	DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019. </ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last=Kührer\|first=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite arxiv\|last=Curtin\|first=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last=Pereira\|first=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arxiv\|last=Woodbridge\|first=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last=Yu\|first=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last=Koh\|first=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arxiv\|last=Anderson\|first=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite arxiv\|last=Sidi\|first=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>		DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019.</ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last=Kührer\|first=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite arxiv\|last=Curtin\|first=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last=Pereira\|first=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arxiv\|last=Woodbridge\|first=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last=Yu\|first=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last=Koh\|first=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arxiv\|last=Anderson\|first=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite arxiv\|last=Sidi\|first=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>

	==See also==		==See also==
Line 36:		Line 36:

	==References==		==References==
	{{~~reflist~~}}		{{Reflist}}
	<br />

	==Further reading==		==Further reading==
	* {{cite web\|url=http://mtc.sri.com/Conficker\|title=An Analysis of Conficker's Logic and Rendezvous Points\|author=[[Phillip Porras]] \|author2=Hassen Saidi \|author3=Vinod Yegneswaran\|work=Malware Threat Center\|publisher=[[SRI International]] Computer Science Laboratory\|date=2009-03-19\|access-date=2013-06-14\|url-status=dead\|archive-url=https://archive.today/20130203001959/http://mtc.sri.com/Conficker\|archive-date=2013-02-03}}		* {{cite web\|url=http://mtc.sri.com/Conficker\|title=An Analysis of Conficker's Logic and Rendezvous Points\|author=Phillip Porras\|author-link=Phillip Porras\|author2=Hassen Saidi \|author3=Vinod Yegneswaran\|work=Malware Threat Center\|publisher=[[SRI International]] Computer Science Laboratory\|date=2009-03-19\|access-date=2013-06-14\|url-status=dead\|archive-url=https://archive.today/20130203001959/http://mtc.sri.com/Conficker\|archive-date=2013-02-03}}
	* {{cite news\|url=http://www.pcworld.com/article/250824/malware_authors_expand_use_of_domain_generation_algorithms_to_evade_detection.html\|title=Malware Authors Expand Use of Domain Generation Algorithms to Evade Detection\|work=[[PC World]]\|author=Lucian Constantin\|date=2012-02-27\|access-date=2013-06-14}}		* {{cite news\|url=http://www.pcworld.com/article/250824/malware_authors_expand_use_of_domain_generation_algorithms_to_evade_detection.html\|title=Malware Authors Expand Use of Domain Generation Algorithms to Evade Detection\|work=[[PC World]]\|author=Lucian Constantin\|date=2012-02-27\|access-date=2013-06-14}}
	* {{cite web\|url=https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html\|title=A Death Match of Domain Generation Algorithms\|author=Hongliang Liu, Yuriy Yuzifovich\|publisher=Akamai Technologies\|date=2017-12-29\|access-date=2019-03-15}}		* {{cite web\|url=https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html\|title=A Death Match of Domain Generation Algorithms\|author=Hongliang Liu, Yuriy Yuzifovich\|publisher=Akamai Technologies\|date=2017-12-29\|access-date=2019-03-15}}

Monkbot: Task 18 (cosmetic): eval 14 templates: del empty params (19×); hyphenate params (5×);

2020-12-15T04:40:21Z

Task 18 (cosmetic): eval 14 templates: del empty params (19×); hyphenate params (5×);

← Previous revision		Revision as of 04:40, 15 December 2020
Line 9:		Line 9:
	Recently, the technique has been adopted by other malware authors. According to network security firm [[Damballa (company)\|Damballa]], the top-5 most prevalent DGA-based [[crimeware]] families are Conficker, Murofet, BankPatch, Bonnana and Bobax as of 2011.<ref>{{cite web\|url=https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|archive-url=https://web.archive.org/web/20160403200600/https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|url-status=dead\|archive-date=2016-04-03\|title=Top-5 Most Prevalent DGA-based Crimeware Families\|page=4\|publisher=[[Damballa (company)\|Damballa]]}}</ref>		Recently, the technique has been adopted by other malware authors. According to network security firm [[Damballa (company)\|Damballa]], the top-5 most prevalent DGA-based [[crimeware]] families are Conficker, Murofet, BankPatch, Bonnana and Bobax as of 2011.<ref>{{cite web\|url=https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|archive-url=https://web.archive.org/web/20160403200600/https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf\|url-status=dead\|archive-date=2016-04-03\|title=Top-5 Most Prevalent DGA-based Crimeware Families\|page=4\|publisher=[[Damballa (company)\|Damballa]]}}</ref>

	DGA can also combine words from a [[dictionary]] to generate domains. These dictionaries can be hard-coded in malware or taken from a publicly accessible source.<ref>{{Cite journal\|last=Plohmann\|first=Daniel\|last2=Yakdan\|first2=Khaled\|last3=Klatt\|first3=Michael\|last4=Bader\|first4=Johannes\|last5=Gerhards-Padilla\|first5=Elmar\|date=2016\|title=A Comprehensive Measurement Study of Domain Generating Malware\|url=https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf\|journal=25th USENIX Security Symposium~~\|volume=~~\|pages=263–278~~\|via=~~}}</ref> Domains generated by dictionary DGA tend to be more difficult to detect due to their similarity to legitimate domains.		DGA can also combine words from a [[dictionary]] to generate domains. These dictionaries can be hard-coded in malware or taken from a publicly accessible source.<ref>{{Cite journal\|last=Plohmann\|first=Daniel\|last2=Yakdan\|first2=Khaled\|last3=Klatt\|first3=Michael\|last4=Bader\|first4=Johannes\|last5=Gerhards-Padilla\|first5=Elmar\|date=2016\|title=A Comprehensive Measurement Study of Domain Generating Malware\|url=https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf\|journal=25th USENIX Security Symposium\|pages=263–278}}</ref> Domains generated by dictionary DGA tend to be more difficult to detect due to their similarity to legitimate domains.

	== Example ==		== Example ==
Line 29:		Line 29:

	==Detection==		==Detection==
	DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019. </ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last=Kührer\|first=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium~~\|volume=~~\|pages=491–506~~\|via=~~}}</ref> [[WHOIS]] information,<ref>{{cite arxiv\|last=Curtin\|first=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023~~\|volume=\|pages=\|via=~~\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last=Pereira\|first=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arxiv\|last=Woodbridge\|first=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791~~\|volume=\|pages=\|via=~~\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last=Yu\|first=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE~~\|volume=~~\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6~~\|via=~~}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last=Koh\|first=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE~~\|volume=~~\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arxiv\|last=Anderson\|first=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969~~\|volume=\|pages=\|via=~~\|class=cs.CR}}</ref><ref>{{cite arxiv\|last=Sidi\|first=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909~~\|volume=\|pages=\|via=~~\|class=cs.CR}}</ref>		DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019. </ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last=Kührer\|first=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|pages=491–506}}</ref> [[WHOIS]] information,<ref>{{cite arxiv\|last=Curtin\|first=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last=Pereira\|first=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arxiv\|last=Woodbridge\|first=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last=Yu\|first=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last=Koh\|first=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arxiv\|last=Anderson\|first=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|class=cs.CR}}</ref><ref>{{cite arxiv\|last=Sidi\|first=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|class=cs.CR}}</ref>

	==See also==		==See also==
Line 40:		Line 40:

	==Further reading==		==Further reading==
	* {{cite web\|url=http://mtc.sri.com/Conficker\|title=An Analysis of Conficker's Logic and Rendezvous Points\|author=[[Phillip Porras]] \|author2=Hassen Saidi \|author3=Vinod Yegneswaran\|work=Malware Threat Center\|publisher=[[SRI International]] Computer Science Laboratory\|date=2009-03-19\|~~accessdate~~=2013-06-14\|url-status=dead\|~~archiveurl~~=https://archive.today/20130203001959/http://mtc.sri.com/Conficker\|~~archivedate~~=2013-02-03}}		* {{cite web\|url=http://mtc.sri.com/Conficker\|title=An Analysis of Conficker's Logic and Rendezvous Points\|author=[[Phillip Porras]] \|author2=Hassen Saidi \|author3=Vinod Yegneswaran\|work=Malware Threat Center\|publisher=[[SRI International]] Computer Science Laboratory\|date=2009-03-19\|access-date=2013-06-14\|url-status=dead\|archive-url=https://archive.today/20130203001959/http://mtc.sri.com/Conficker\|archive-date=2013-02-03}}
	* {{cite news\|url=http://www.pcworld.com/article/250824/malware_authors_expand_use_of_domain_generation_algorithms_to_evade_detection.html\|title=Malware Authors Expand Use of Domain Generation Algorithms to Evade Detection\|work=[[PC World]]\|author=Lucian Constantin\|date=2012-02-27\|~~accessdate~~=2013-06-14}}		* {{cite news\|url=http://www.pcworld.com/article/250824/malware_authors_expand_use_of_domain_generation_algorithms_to_evade_detection.html\|title=Malware Authors Expand Use of Domain Generation Algorithms to Evade Detection\|work=[[PC World]]\|author=Lucian Constantin\|date=2012-02-27\|access-date=2013-06-14}}
	* {{cite web\|url=https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html\|title=A Death Match of Domain Generation Algorithms\|author=Hongliang Liu, Yuriy Yuzifovich\|publisher=Akamai Technologies\|date=2017-12-29\|~~accessdate~~=2019-03-15}}		* {{cite web\|url=https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html\|title=A Death Match of Domain Generation Algorithms\|author=Hongliang Liu, Yuriy Yuzifovich\|publisher=Akamai Technologies\|date=2017-12-29\|access-date=2019-03-15}}
	* [https://web.archive.org/web/20130518101218/https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf DGAs in the Hands of Cyber-Criminals - Examining the state of the art in malware evasion techniques]		* [https://web.archive.org/web/20130518101218/https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf DGAs in the Hands of Cyber-Criminals - Examining the state of the art in malware evasion techniques]
	* [https://web.archive.org/web/20130518123544/https://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf DGAs and Cyber-Criminals: A Case Study]		* [https://web.archive.org/web/20130518123544/https://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf DGAs and Cyber-Criminals: A Case Study]

JJMC89 bot III: Moving :Category:Articles with example Python code to :Category:Articles with example Python (programming language) code per Wikipedia:Categories for discussion/Speedy

2020-09-21T21:04:35Z

Moving Category:Articles with example Python code to Category:Articles with example Python (programming language) code per Wikipedia:Categories for discussion/Speedy

← Previous revision		Revision as of 21:04, 21 September 2020
Line 47:		Line 47:
	* [https://web.archive.org/web/20120321142028/http://www.abuse.ch/?p=3387 How Criminals Defend Their Rogue Networks, Abuse.ch]		* [https://web.archive.org/web/20120321142028/http://www.abuse.ch/?p=3387 How Criminals Defend Their Rogue Networks, Abuse.ch]

	[[Category:Articles with example Python code]]		[[Category:Articles with example Python (programming language) code]]
	[[Category:Botnets]]		[[Category:Botnets]]

Ira Leviton: Fixed a typo found with Wikipedia:Typo Team/moss.

2020-08-27T20:44:39Z

Fixed a typo found with Wikipedia:Typo Team/moss.

← Previous revision		Revision as of 20:44, 27 August 2020
Line 3:		Line 3:
	For example, an infected computer could create thousands of domain names such as: ''www.<gibberish>.com'' and would attempt to contact a portion of these with the purpose of receiving an update or commands.		For example, an infected computer could create thousands of domain names such as: ''www.<gibberish>.com'' and would attempt to contact a portion of these with the purpose of receiving an update or commands.

	Embedding the DGA instead of a list of previously-generated (by the command and control ~~server(s)~~) domains in the unobfuscated binary of the malware protects against a strings dump that could be fed into a network blacklisting appliance preemptively to attempt to restrict outbound communication from infected hosts within an enterprise.		Embedding the DGA instead of a list of previously-generated (by the command and control servers) domains in the unobfuscated binary of the malware protects against a strings dump that could be fed into a network blacklisting appliance preemptively to attempt to restrict outbound communication from infected hosts within an enterprise.

	The technique was popularized by the family of worms [[Conficker]].a and .b which, at first generated 250 domain names per day. Starting with Conficker.C, the malware would generate 50,000 domain names every day of which it would attempt to contact 500, giving an infected machine a 1% possibility of being updated every day if the malware controllers registered only one domain per day. To prevent infected computers from updating their malware, law enforcement would have needed to pre-register 50,000 new domain names every day. From the point of view of botnet owner, they only have to register one or a few domains out of the several domains that each bot would query every day.		The technique was popularized by the family of worms [[Conficker]].a and .b which, at first generated 250 domain names per day. Starting with Conficker.C, the malware would generate 50,000 domain names every day of which it would attempt to contact 500, giving an infected machine a 1% possibility of being updated every day if the malware controllers registered only one domain per day. To prevent infected computers from updating their malware, law enforcement would have needed to pre-register 50,000 new domain names every day. From the point of view of botnet owner, they only have to register one or a few domains out of the several domains that each bot would query every day.

WOSlinker: change source to syntaxhighlight

2020-07-25T10:06:56Z

change source to syntaxhighlight

← Previous revision		Revision as of 10:06, 25 July 2020
Line 12:		Line 12:

	== Example ==		== Example ==
	<~~source~~ lang="python">		<syntaxhighlight lang="python">
	def generate_domain(year: int, month: int, day: int) -> str:		def generate_domain(year: int, month: int, day: int) -> str:
	"""Generate a domain name for the given date."""		"""Generate a domain name for the given date."""
Line 24:		Line 24:

	return domain + ".com"		return domain + ".com"
			</syntaxhighlight>
	</source>

	For example, on January 7, 2014, this method would generate the domain name <code>intgmxdeadnxuyla.com</code>, while the following day, it would return <code>axwscwsslmiagfah.com</code>. This simple example was in fact used by malware like [[CryptoLocker]], before it switched to a more sophisticated variant.		For example, on January 7, 2014, this method would generate the domain name <code>intgmxdeadnxuyla.com</code>, while the following day, it would return <code>axwscwsslmiagfah.com</code>. This simple example was in fact used by malware like [[CryptoLocker]], before it switched to a more sophisticated variant.

Shateel: /* Further reading */ corrected citation by adding well researched article

2020-04-02T19:30:47Z

Further reading: corrected citation by adding well researched article

← Previous revision		Revision as of 19:30, 2 April 2020
Line 29:		Line 29:

	==Detection==		==Detection==
	DGA domain names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last=Kührer\|first=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|volume=\|pages=491–506\|via=}}</ref> [[WHOIS]] information,<ref>{{cite arxiv\|last=Curtin\|first=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|volume=\|pages=\|via=\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last=Pereira\|first=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arxiv\|last=Woodbridge\|first=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|volume=\|pages=\|via=\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last=Yu\|first=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|volume=\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6\|via=}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last=Koh\|first=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|volume=\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arxiv\|last=Anderson\|first=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|volume=\|pages=\|via=\|class=cs.CR}}</ref><ref>{{cite arxiv\|last=Sidi\|first=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|volume=\|pages=\|via=\|class=cs.CR}}</ref>		DGA domain<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019. </ref> names can be blocked using blacklists, but the coverage of these blacklists is either poor (public blacklists) or wildly inconsistent (commercial vendor blacklists).<ref>{{Citation\|last=Kührer\|first=Marc\|title=Paint It Black: Evaluating the Effectiveness of Malware Blacklists\|date=2014\|url=https://christian-rossow.de/publications/blacklists-raid2014.pdf\|work=Research in Attacks, Intrusions and Defenses\|volume=8688\|pages=1–21\|editor-last=Stavrou\|editor-first=Angelos\|publisher=Springer International Publishing\|doi=10.1007/978-3-319-11379-1_1\|isbn=9783319113784\|access-date=2019-03-15\|last2=Rossow\|first2=Christian\|last3=Holz\|first3=Thorsten\|editor2-last=Bos\|editor2-first=Herbert\|editor3-last=Portokalidis\|editor3-first=Georgios}}</ref> Detection techniques belong in two main classes: reactionary and real-time. Reactionary detection relies on non-supervised [[Cluster analysis\|clustering techniques]] and contextual information like network NXDOMAIN responses,<ref>{{Cite journal\|last=Antonakakis\|first=Manos\|display-authors=et al\|date=2012\|title=From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis\|journal=21st USENIX Security Symposium\|volume=\|pages=491–506\|via=}}</ref> [[WHOIS]] information,<ref>{{cite arxiv\|last=Curtin\|first=Ryan\|last2=Gardner\|first2=Andrew\|last3=Grzonkowski\|first3=Slawomir\|last4=Kleymenov\|first4=Alexey\|last5=Mosquera\|first5=Alejandro\|date=2018\|title=Detecting DGA domains with recurrent neural networks and side information\|eprint=1810.02023\|volume=\|pages=\|via=\|class=cs.CR}}</ref> and passive DNS<ref>{{Citation\|last=Pereira\|first=Mayana\|chapter=Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic\|date=2018\|chapter-url=http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf\|volume=11050\|pages=295–314\|publisher=Springer International Publishing\|doi=10.1007/978-3-030-00470-5_14\|isbn=978-3-030-00469-9\|access-date=2019-03-15\|last2=Coleman\|first2=Shaun\|last3=Yu\|first3=Bin\|last4=De Cock\|first4=Martine\|last5=Nascimento\|first5=Anderson\|title=Research in Attacks, Intrusions, and Defenses\|series=Lecture Notes in Computer Science}}</ref> to make an assessment of domain name legitimacy. Recent attempts at detecting DGA domain names with [[deep learning]] techniques have been extremely successful, with [[F1 score]]s of over 99%.<ref>{{cite arxiv\|last=Woodbridge\|first=Jonathan\|last2=Anderson\|first2=Hyrum\|last3=Ahuja\|first3=Anjum\|last4=Grant\|first4=Daniel\|date=2016\|title=Predicting Domain Generation Algorithms with Long Short-Term Memory Networks\|eprint=1611.00791\|volume=\|pages=\|via=\|class=cs.CR}}</ref> These deep learning methods typically utilize [[Long short-term memory\|LSTM]] and [[Convolutional neural network\|CNN]] architectures,<ref>{{Cite journal\|last=Yu\|first=Bin\|last2=Pan\|first2=Jie\|last3=Hu\|first3=Jiaming\|last4=Nascimento\|first4=Anderson\|last5=De Cock\|first5=Martine\|date=2018\|title=Character Level based Detection of DGA Domain Names\|url=http://faculty.washington.edu/mdecock/papers/byu2018a.pdf\|journal=2018 International Joint Conference on Neural Networks (IJCNN)\|location=Rio de Janeiro\|publisher=IEEE\|volume=\|pages=1–8\|doi=10.1109/IJCNN.2018.8489147\|isbn=978-1-5090-6014-6\|via=}}</ref> though deep [[word embedding]]s have shown great promise for detecting dictionary DGA.<ref>{{Cite journal\|last=Koh\|first=Joewie J.\|last2=Rhodes\|first2=Barton\|date=2018\|title=Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings\|arxiv=1811.08705\|journal=2018 IEEE International Conference on Big Data (Big Data)\|location=Seattle, WA, USA\|publisher=IEEE\|volume=\|pages=2966–2971\|doi=10.1109/BigData.2018.8622066\|isbn=978-1-5386-5035-6}}</ref> However, these deep learning approaches can be vulnerable to [[Adversarial machine learning\|adversarial techniques]].<ref>{{cite arxiv\|last=Anderson\|first=Hyrum\|last2=Woodbridge\|first2=Jonathan\|last3=Bobby\|first3=Filar\|date=2016\|title=DeepDGA: Adversarially-Tuned Domain Generation and Detection\|eprint=1610.01969\|volume=\|pages=\|via=\|class=cs.CR}}</ref><ref>{{cite arxiv\|last=Sidi\|first=Lior\|last2=Nadler\|first2=Asaf\|last3=Shabtai\|first3=Asaf\|date=2019\|title=MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses\|eprint=1902.08909\|volume=\|pages=\|via=\|class=cs.CR}}</ref>

	==See also==		==See also==
Line 37:		Line 37:
	==References==		==References==
	{{reflist}}		{{reflist}}
			<br />
	<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019. Retrieved retrieved_date.</ref>

	==Further reading==		==Further reading==

Shateel: /* References */

2020-04-02T17:55:17Z

References

← Previous revision		Revision as of 17:55, 2 April 2020
Line 37:		Line 37:
	==References==		==References==
	{{reflist}}		{{reflist}}
			<ref>Shateel A. Chowdhury, [https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/ "DOMAIN GENERATION ALGORITHM – DGA IN MALWARE"], Aug 30, 2019. Retrieved retrieved_date.</ref>

	==Further reading==		==Further reading==