Advanced search
1 file | 7.39 MB Add to list

CharBot : a simple and effective method for evading DGA classifiers

(2019) IEEE ACCESS. 7. p.91759-91771
Author
Organization
Abstract
Domain generation algorithms (DGAs) are commonly leveraged by malware to create lists of domain names, which can be used for command and control (C&C) purposes. Approaches based on machine learning have recently been developed to automatically detect generated domain names in real-time. In this paper, we present a novel DGA called CharBot, which is capable of producing large numbers of unregistered domain names that are not detected by state-of-the-art classifiers for real-time detection of the DGAs, including the recently published methods FANCI (a random forest based on human-engineered features) and LSTM.MI (a deep learning approach). The CharBot is very simple, effective, and requires no knowledge of the targeted DGA classifiers. We show that retraining the classifiers on CharBot samples is not a viable defense strategy. We believe these findings show that DGA classifiers are inherently vulnerable to adversarial attacks if they rely only on the domain name string to make a decision. Designing a robust DGA classifier may, therefore, necessitate the use of additional information besides the domain name alone. To the best of our knowledge, the CharBot is the simplest and most efficient black-box adversarial attack against DGA classifiers proposed to date.
Keywords
Adversarial machine learning, domain generation algorithms, supervised learning

Downloads

  • 08756038.pdf
    • full text
    • |
    • open access
    • |
    • PDF
    • |
    • 7.39 MB

Citation

Please use this url to cite or link to this publication:

MLA
Peck, Jonathan, et al. “CharBot : A Simple and Effective Method for Evading DGA Classifiers.” IEEE ACCESS, vol. 7, 2019, pp. 91759–71.
APA
Peck, J., Nie, C., Sivaguru, R., Grumer, C., Olumofin, F., Yu, B., … De Cock, M. (2019). CharBot : a simple and effective method for evading DGA classifiers. IEEE ACCESS, 7, 91759–91771.
Chicago author-date
Peck, Jonathan, Claire Nie, Raaghavi Sivaguru, Charles Grumer, Femi Olumofin, Bin Yu, Anderson Nascimento, and Martine De Cock. 2019. “CharBot : A Simple and Effective Method for Evading DGA Classifiers.” IEEE ACCESS 7: 91759–71.
Chicago author-date (all authors)
Peck, Jonathan, Claire Nie, Raaghavi Sivaguru, Charles Grumer, Femi Olumofin, Bin Yu, Anderson Nascimento, and Martine De Cock. 2019. “CharBot : A Simple and Effective Method for Evading DGA Classifiers.” IEEE ACCESS 7: 91759–91771.
Vancouver
1.
Peck J, Nie C, Sivaguru R, Grumer C, Olumofin F, Yu B, et al. CharBot : a simple and effective method for evading DGA classifiers. IEEE ACCESS. 2019;7:91759–71.
IEEE
[1]
J. Peck et al., “CharBot : a simple and effective method for evading DGA classifiers,” IEEE ACCESS, vol. 7, pp. 91759–91771, 2019.
@article{8623843,
  abstract     = {Domain generation algorithms (DGAs) are commonly leveraged by malware to create lists of domain names, which can be used for command and control (C&C) purposes. Approaches based on machine learning have recently been developed to automatically detect generated domain names in real-time. In this paper, we present a novel DGA called CharBot, which is capable of producing large numbers of unregistered domain names that are not detected by state-of-the-art classifiers for real-time detection of the DGAs, including the recently published methods FANCI (a random forest based on human-engineered features) and LSTM.MI (a deep learning approach). The CharBot is very simple, effective, and requires no knowledge of the targeted DGA classifiers. We show that retraining the classifiers on CharBot samples is not a viable defense strategy. We believe these findings show that DGA classifiers are inherently vulnerable to adversarial attacks if they rely only on the domain name string to make a decision. Designing a robust DGA classifier may, therefore, necessitate the use of additional information besides the domain name alone. To the best of our knowledge, the CharBot is the simplest and most efficient black-box adversarial attack against DGA classifiers proposed to date.},
  author       = {Peck, Jonathan and Nie, Claire and Sivaguru, Raaghavi and Grumer, Charles and Olumofin, Femi and Yu, Bin and Nascimento, Anderson and De Cock, Martine},
  issn         = {2169-3536},
  journal      = {IEEE ACCESS},
  keywords     = {Adversarial machine learning,domain generation algorithms,supervised learning},
  language     = {eng},
  pages        = {91759--91771},
  title        = {CharBot : a simple and effective method for evading DGA classifiers},
  url          = {http://dx.doi.org/10.1109/access.2019.2927075},
  volume       = {7},
  year         = {2019},
}

Altmetric
View in Altmetric
Web of Science
Times cited: