ShadowDGA: Toward Evading DGA Detectors with GANs

摘要

Domain generation algorithms (DGAs) are widely used in modern botnets to generate a large number of domain names through which bots can communicate with their command and control (C & C) servers. In recent years, many machine learning based approaches have been proposed to automatically detect algorithmically generated domains in real time and have achieved success in traditional DGAs. Nevertheless, they are somewhat unavailable for adversarial domains. In this paper, we develop a more threatening DGA called ShadowDGA that utilizes generative adversarial networks (GANs) to simulate the distribution of benign domains without any knowledge about the DGA detector to evade detection. Experimental results demonstrate that the domains generated by ShadowDGA are the most difficult to detect compared to existing DGA families. We also present an effective defense method for adversarial domains without retraining. These findings indicate that detectors that rely solely on features extracted from the domain name are vulnerable, while a robust DGA detector should contain additional contextual information.