Method for detecting host infection caused by DGA malicious software

A technology of malware and detection methods, applied in electrical components, transmission systems, etc., can solve the problems of efficient detection effect of DGA domain names, feature selection, and difficulty in filtering out false positives in algorithm optimization, achieving low manual participation in discrimination and high recognition. The effect of high detection rate and high detection coverage

Inactive Publication Date: 2020-04-17
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF10 Cites 17 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] In summary, the existing technology mainly trains machine learning classifiers or constructs neural networks to identify malicious domain names by extracting the features of the DGA domain name itself. It has comparative advantages in feature selection, algorithm optimization, and false positive screening in actual scenarios. Big difficulty, unable to achieve efficient detection results for all types of DGA domain names

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for detecting host infection caused by DGA malicious software

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0049]The present invention will be described in further detail below in conjunction with the examples, but the protection scope of the present invention is not limited thereto.

[0050] The invention relates to a method for detecting a DGA malware-infected host, and the method includes the following steps.

[0051] Step 1: Extract DNS data as raw dataset.

[0052] In the step 1, the DNS data is DNS query request data extracted from actual network traffic.

[0053] In the present invention, DNS query request data includes source address (IPv4 address of internal host), destination address (dns server IPv4 address), query domain name (dns rrname), query type (dns rrtype).

[0054] In the present invention, the query domain name with dns.rrtype=A is filtered out as the original data set.

[0055] Step 2: Construct the training data set.

[0056] In the step 2, the domain name of Alexa is used as the negative sample of the training data set, and the domain name of the public D...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method for detecting host infection caused by DGA malicious software. The method comprises the steps: extracting DNS data as an original data set; constructing a training data set, extracting and normalizing all data features, training the processed training data features to obtain a stable model, inputting original data set data into the model to obtain a suspicious DGAdomain name list, and performing host infection confirmation on the suspicious DGA domain name list subjected to false alarm filtering. According to the invention, methods such as information entropy, a hidden Markov chain, an N-gram model and the like are adopted to extract features for modeling and predicting suspicious domain names, and whether the DGA malicious program infects the host is judged by calculating statistical characteristics of suspicious domain name requests initiated by the same IP address; the method is compatible with detection of various DGA suspicious domain names, eliminates false alarms by infecting behavior characteristics of suspicious domain names requested by a host, has the advantage of low artificial participation in discrimination, has the advantages of high detection coverage rate, high recognition rate and low false alarm rate, and has practical application value.

Description

technical field [0001] The invention relates to the transmission of digital information, such as the technical field of telegram communication, and in particular to a detection method for a DGA malware-infected host. Background technique [0002] DGA domain name refers to a series of random domain names generated by Domain Generation Algorithm. DGA malware refers to the use of DGA algorithm to generate a large number of dynamically changing domain names, so as to avoid the detection of threat intelligence and domain name blacklists. It is often used by zombies Network (Botnet). Famous DGA malware families include conficker, zeus, etc. [0003] Using DGA domain names to spread and control malware is relatively hidden and difficult to track. Attackers use algorithms to select one or more random domain names generated every day to register as C2 server domain names, and then control the infected hosts. Some threat intelligence systems cannot effectively detect the reputation ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/12
CPCH04L63/1416H04L63/145H04L61/4511
Inventor 刘书航范渊
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap