Researchers at the University of Georgia and the Georgia Institute of Technology have developed Pleiades, a prototype system that can better detect Domain Name Generation (DGA)-based botnets without the normal time-intensive reverse engineering required to find and defeat such malware.
"To automatically identify DGA domain names, Pleiades searches for relatively large clusters of NXDomains that have similar syntactic features, and are queried by multiple potentially compromised machines during a given epoch," the researchers say.
Pleiades can automatically identify and filter out accidental, user-generated NXDomains due to typos or misconfigurations. "When Pleiades finds a cluster of NXDomains, it applies statistical learning techniques to build a model of the DGA," the researchers say.
The researchers deployed and evaluated the Pleiades prototype in a large production Internet service provider network for 15 months and found 12 new DGA-based botnets. The researchers also note Pleiades has some constraints. For example, once a new DGA is discovered, Pleiades can build fairly precise statistical models of how the domains generated by the DGA "look like," but it cannot learn or rebuild the exact domain generation algorithm. As a result, Pleiades will generate some false positives and false negatives.
From Network World
View Full Article
No entries found