Research On DGA Domain Name Identification Method Based On Word Features

Nowadays,in order to improve the survival rate of botnet,botnet controllers usually use Domain-flux technology to change the domain name of C&C server frequently,which makes the command and control channel more difficult to be tracked and detected.The core of Domain-flux technology is the Domain Generation Algorithm(DGA)which can quickly generate a large number of domain names.However,botnet controllers will choose only a small number as the domain names of C&C servers.Even if security personnel decodes the DGA,it still has difficulty in blocking all domain names.Therefore,identifying DGA domain name quickly and accurately is very significant both in tracing and detecting botnet,safeguarding network and information security.At present,based on dictionary,the identification of DGA domain name is a great difficult point in this field.This paper has analyzed the dictionary-based DGA domain name and found that such domain names have the characteristics of low randomness of character distribution,but high randomness of word combination.According to this feature,the DGA domain name identification method based on word features has been proposed.The method first divides the domain name into two parts: the dictionary-based domain name and the ordinary domain name through the filtering algorithm,and then classifies the two domain names separately.In this paper,the LSTM model is used to automatically extract the characteristics of domain names without manual intervention,which improves the efficiency and avoids the dependence of manual selection on experience.The experimental results show that the method has high identification accuracy for dictionary-based DGA domain names.Compared with LSTM method based on character features and Bigram method,it does better both in dictionary-based DGA domain name identification and overall DGA domain name identification.This paper has designed and completed a DGA domain name identification prototype system integrated with DNS.The system integrates a DNS proxy server and a DGA domain name identifier.It can identify the DGA domain name in DNS traffic and offer corresponding prompts while providing DNS proxy service.The system has been tested in a real network environment and its functions are proved normal operation,which demonstrates the feasibility of the DGA domain name identification method based on word features.