CNN-HMM Model for Real Time DGA Categorization

Aimen Mahmood; Haider Abbas; Faisal Amjad

doi:10.5220/0012136800003555

CNN-HMM Model for Real Time DGA Categorization

Aimen Mahmood, Haider Abbas, Faisal Amjad

2023

Abstract

To remotely control the target machine, hackers manage to establish a connection between victim and their Command and Control server(C2). In order to hide their C2 they generate domain names algorithmically. Such algorithms are called Domain Generation algorithms(DGA). These algorithmically generated domain names are either gibberish as the characters are generated and concatenated randomly, or pure dictionary words or the combination of the two. This paper presents an algorithm that classifies the DGA running on a compromised system either as gibberish, dictionary oriented or the mixed one, in real time. The proposed algorithm consists of two distinct modules i) Network forensics to detect the DGA ii) Classification of the DGA using the combination of Hidden Markov Model and Convolution Neural Network in real time. The algorithm is trained and tested against more than 0.21 million samples taken from more than 50 different DGAs. The algorithm gives as good as 99% accuracy for all types of DGAs. In addition it can detect zero day DGA as well as multiple DGAs running on a system.

Download

Paper Citation

in Harvard Style

Mahmood A., Abbas H. and Amjad F. (2023). CNN-HMM Model for Real Time DGA Categorization. In Proceedings of the 20th International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-666-8, SciTePress, pages 822-829. DOI: 10.5220/0012136800003555

in Bibtex Style

@conference{secrypt23,
author={Aimen Mahmood and Haider Abbas and Faisal Amjad},
title={CNN-HMM Model for Real Time DGA Categorization},
booktitle={Proceedings of the 20th International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2023},
pages={822-829},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012136800003555},
isbn={978-989-758-666-8},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 20th International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - CNN-HMM Model for Real Time DGA Categorization
SN - 978-989-758-666-8
AU - Mahmood A.
AU - Abbas H.
AU - Amjad F.
PY - 2023
SP - 822
EP - 829
DO - 10.5220/0012136800003555
PB - SciTePress