A Detection Scheme for DGA Domain Names Based on SVM

摘要

Most of network security configurations allow the DNS data to pass through. Therefore, the crackers often embed malware commands in DNS data to avoid the security detection by the Internet facilities. Especially, some malwares, such as the botnet, generate a large number of spare domain names using a Domain Generation Algorithm (DGA) and choose some of them as the masks of malware's commands. How to filter out the DGA domain names from the normal domain names becomes a hot topic in literature. There are many papers trying to solve this problem. However, the comprehensive analysis of the character features of the domain name is absent. In this paper, we studied the characters' features of DGA domain names and extracted five attributes for the Support Vector Machine (SVM) model. Model training and cross-validation showed that the detecting accuracy, the precision, and the recall rate were greater than 91%, 88%, and 87%, respectively. Experiments also illustrated that compared with the decision-tree method, the detecting algorithm based on SVM could obtain higher accuracy, precision and recall rate.