Domain generation algorithm detection using machine learning methods

Moran Baruch, Gil David

Research output: Chapter in Book/Report/Conference proceedingChapterpeer-review

7 Scopus citations


A botnet is a network of private computers infected with malicious software and controlled as a group without the knowledge of the owners. Botnets are used by cybercriminals for various malicious activities, such as stealing sensitive data, sending spam, launching Distributed Denial of Service (DDoS) attacks, etc. A Command and Control (C&C) server sends commands to the compromised hosts to execute those malicious activities. In order to avoid detection, recent botnets such as Conficker, Zeus, and Cryptolocker apply a technique called Domain-Fluxing or Domain Name Generation Algorithms (DGA), in which the infected bot periodically generates and tries to resolve a large number of pseudorandom domain names until one of them is resolved by the DNS server. In this paper, we survey different machine learning methods for detecting such DGAs by analyzing only the alphanumeric characteristics of the domain names in the network. We also propose unsupervised models and evaluate their performance while comparing them with existing supervised models used in previous researches in this field. The proposed unsupervised methods achieve better results than the compared supervised techniques, while detecting zero-day DGAs.

Original languageEnglish
Title of host publicationIntelligent Systems, Control and Automation
Subtitle of host publicationScience and Engineering
PublisherSpringer Netherlands
Number of pages29
StatePublished - 2018
Externally publishedYes

Publication series

NameIntelligent Systems, Control and Automation: Science and Engineering
ISSN (Print)2213-8986
ISSN (Electronic)2213-8994

Bibliographical note

Publisher Copyright:
© 2018, Springer International Publishing AG, part of Springer Nature.


Dive into the research topics of 'Domain generation algorithm detection using machine learning methods'. Together they form a unique fingerprint.

Cite this