AI-based detection of DNS misuse for network security
Threat hunting and malware prediction are critical activities to ensure network and system security. These tasks are difficult due to increasing numbers of sophisticated malware families. Automatically detecting anomalous Domain Name System (DNS) queries in operational traffic facilitates the detection of new malware infections, significantly contributing to the work of security practitioners. In this paper, we present two AI-based Domain Generation Algorithm (DGA) detection and classification techniques - a feature-based one, leveraging classic Machine Learning algorithms and a featureless one, based on Deep Learning - specifically intended to aid in this task. Both techniques are designed to be integrated in operational environments, dealing with hundreds of thousands to millions of new malware samples per day. We report the implementation details, the classification performance, the advantages and shortcomings for both techniques, as well as experiences from the deployment of this system in an industrial environment. We show that both techniques reach more than the 90% of accuracy in the case of binary DGA detection, with a slight degradation in performance in the multi-class classification case, in which the results strongly depend on the malware type. (C) 2022 Association for Computing Machinery.
To reference this document use:
Classification (of information)
Domain name system
Networks and systems
Association for Computing Machinery, Inc
NativeNI 2022 - Proceedings of the 1st International Workshop on Native Network Intelligence, Part of CoNEXT 2022, 27-32