Domain Generation Algorithms (DGAs) are used by malware in establishing a connection with the Command and Control (C&C) server, to reduce the risk of the connection being identified by changing the C&C domain name dynamically but predictably. Since malicious Algorithmically-Generated Domains (mAGDs) have identifiable patterns, suitably trained Machine Learning (ML) models, here called mAGD classifiers, are often able to identify such domains. However, these results are typically obtained in a non-temporal context, raising uncertainty about their applicability in real-world scenarios. In reality, network traffic is time-dependent and extremely variable, and false positives have a significant impact. One way to mitigate these problems is to analyze connections not one at a time, but by grouping those occurring in a predetermined time interval. In this paper we address such a challenge, showing that, even when the mAGD classifier has very good performance in classifying individual domain names, its output needs to be carefully post-processed in order to achieve good overall intrusion detection performance on real network traffic.
Applying Intrusion Detection Based on Algorithmically Generated Domain Classification to Real Network Traffic / Principi, Lorenzo; Baldi, Marco. - (2024), pp. 125-130. (Intervento presentato al convegno 1st International Conference on Cyber Security and Computing, CyberComp 2024 tenutosi a Melaka, Malaysia nel 06-07 November 2024) [10.1109/cybercomp60759.2024.10913807].
Applying Intrusion Detection Based on Algorithmically Generated Domain Classification to Real Network Traffic
Principi, Lorenzo;Baldi, Marco
2024-01-01
Abstract
Domain Generation Algorithms (DGAs) are used by malware in establishing a connection with the Command and Control (C&C) server, to reduce the risk of the connection being identified by changing the C&C domain name dynamically but predictably. Since malicious Algorithmically-Generated Domains (mAGDs) have identifiable patterns, suitably trained Machine Learning (ML) models, here called mAGD classifiers, are often able to identify such domains. However, these results are typically obtained in a non-temporal context, raising uncertainty about their applicability in real-world scenarios. In reality, network traffic is time-dependent and extremely variable, and false positives have a significant impact. One way to mitigate these problems is to analyze connections not one at a time, but by grouping those occurring in a predetermined time interval. In this paper we address such a challenge, showing that, even when the mAGD classifier has very good performance in classifying individual domain names, its output needs to be carefully post-processed in order to achieve good overall intrusion detection performance on real network traffic.| File | Dimensione | Formato | |
|---|---|---|---|
|
Principi_Applying-Intrusion-Detection-Based_2025.pdf
Solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza d'uso:
Tutti i diritti riservati
Dimensione
668.73 kB
Formato
Adobe PDF
|
668.73 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
|
Principi_Applying-Intrusion-Detection-Based_Post-print.pdf
accesso aperto
Tipologia:
Documento in post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza d'uso:
Tutti i diritti riservati
Dimensione
514.27 kB
Formato
Adobe PDF
|
514.27 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
