A Study of the Detection of Malicious Domain Name Generated by Dynamic Domain Name Generation Algorithm

• Main Authors: Yu-Feng Chu, 朱宇豐
• Other Authors: Chien-Lung Chan
• Format: Others
• Language: zh-TW
• Online Access: http://ndltd.ncl.edu.tw/handle/93873813448367056558

碩士 === 元智大學 === 資訊管理學系 === 103 === In recent year, computer and mobile device are rapidly popular. However, these devices can be used to connect network. Attackers can use this characteristic to inject the malware for stealing privacy data. In order to achieve this goal, the connection of control-side becomes very important. In our study, we focus on a hiding technology for connection of control-side, which can dynamically generate the domain name to confuse the users. Moreover, this technology is too difficult to detect the source of connection of control-side. Our research outperforms previous approaches for the combination of entropy-based string and regular character domain name.However, the previous approaches are unable to detect low random strings and strings similar to the normal domain name. Therefore, we proposed a novel method to extract the features based on the domain name generated from malicious applications, each generation of malicious applications can get a domain name properties, in accordance with the cluster to train the probability model(Markov model), and to combine the normal domain name to jude, so that each markov model has a characteristic and better effect.The experiments proved the CONFICKER, CRYPTOLOCKER, MATSNU, OTHERS, PUSHDO, RAMDO, RAMNITPCAP, ROVNIX, TINBA, ZEUS malicious applications do not cluster of the status of the group can have a good detection results. But to produce the character combination similar to normal domain name by two malware(MATSNU，ROVNIX) are difficult to detect, in accordance with the characteristic value will can have a good effect, when the 13 cluster above 0.9 value up, that can detect more than 90% of dynamically generated domain name.