Entropy and likelihood-based detection of DGA generated domain names and their families

Abstract

Botnet is a network of hosts (bots) infected by a common malware and controlled by command and control (C&C) servers. Once the malware is found in an infected host, it is easy to get the domain of its C&C server and block it. To counter such detection, many malware families use probabilistic algorithms, known as domain generation algorithms (DGAs), to generate domain names for the C&C servers. In this paper, we propose a probabilistic approach to identify the domain names that are likely to be generated by malware using DGAs. The proposed solution is based on the hypothesis that the entropy of human-generated domain names should be lesser than the entropy of DGA generated domain names. Results show that the percentage of false negatives in the detection of DGA generated domain names using the proposed method is less than 29% across 39 DGA families considered by us in our experimentation.