Semi-supervised detection of Algorithmically Generated Domains using Neural Network-based Autoencoders

Federico Cruciani; Samuel Moore; Bronagh Quigley; CD Nugent; Sadiq Sani

Semi-supervised detection of Algorithmically Generated Domains using Neural Network-based Autoencoders

Federico Cruciani, Samuel Moore, Bronagh Quigley, CD Nugent, Sadiq Sani

BT, Adastral Part, Ipswich

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

117 Downloads (Pure)

Abstract

Domain Generation Algorithms (DGA) are typically used by recent botnets to communicate with their command-and-control server, thus exacerbating the complexity of detecting them compared to older botnets using static IP addresses. As such, recent studies have been experimenting with different approaches to detect algorithmically generated domains using a variety of methods, including Deep Learning. This paper presents a Deep Learning approach based on autoencoders as a semi-supervised method requiring only legitimate domains for training. Semi-supervised methods have an advantage over supervised methods in that they require no labelled DGA data. The proposed autoencoder structure is based on a Neural Network (NN) processing the frequency of 2-grams in domain names. The method has been compared with supervised machine learning methods and cross-validated on a second unseen dataset to evaluate the generalization of results. Results confirmed an F-score of 73% on DGA detection outperforming a NN based on letter frequencies and a Random Forest approach based on 𝑛-grams scoring 71% and 65% respectively.

Original language	English
Title of host publication	AI-CyberSec 2021 - Workshop on Artificial Intelligence and Cyber Security
Publisher	CEUR Workshop Proceedings
Pages	1-9
Number of pages	9
Publication status	Published online - 14 Dec 2021
Event	AI-Cybersec Workshop 2021: Workshop on Artificial Intelligence and Cyber Security - Virtual Duration: 14 Dec 2021 → 14 Dec 2021 https://sites.google.com/view/ai-cybersec-2021/programme?authuser=0

Publication series

Name	CEUR Workshop Proceedings
ISSN (Electronic)	1613-0073

Workshop

Workshop	AI-Cybersec Workshop 2021
Abbreviated title	AI-CyberSec
Period	14/12/21 → 14/12/21
Internet address	https://sites.google.com/view/ai-cybersec-2021/programme?authuser=0

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

Semi-Supervised Detection of Algorithmically Generated Domains using Neural Network based AutoencodersAuthor Accepted Manuscript -, 232 KBLicence: CC BY

Improving reliability in the internet of things through anomaly detection
Moore, S. J. (Author), Zhang, S. (Supervisor), Nugent, C. (Supervisor) & Cleland, I. (Supervisor), Sept 2022
Student thesis: Doctoral Thesis

File

Cite this

@inproceedings{cbc0ee176b1749e4a0fa4577c0040a39,

title = "Semi-supervised detection of Algorithmically Generated Domains using Neural Network-based Autoencoders",

abstract = "Domain Generation Algorithms (DGA) are typically used by recent botnets to communicate with their command-and-control server, thus exacerbating the complexity of detecting them compared to older botnets using static IP addresses. As such, recent studies have been experimenting with different approaches to detect algorithmically generated domains using a variety of methods, including Deep Learning. This paper presents a Deep Learning approach based on autoencoders as a semi-supervised method requiring only legitimate domains for training. Semi-supervised methods have an advantage over supervised methods in that they require no labelled DGA data. The proposed autoencoder structure is based on a Neural Network (NN) processing the frequency of 2-grams in domain names. The method has been compared with supervised machine learning methods and cross-validated on a second unseen dataset to evaluate the generalization of results. Results confirmed an F-score of 73\% on DGA detection outperforming a NN based on letter frequencies and a Random Forest approach based on 푛-grams scoring 71\% and 65\% respectively.",

author = "Federico Cruciani and Samuel Moore and Bronagh Quigley and CD Nugent and Sadiq Sani",

year = "2021",

month = dec,

day = "14",

language = "English",

series = "CEUR Workshop Proceedings",

publisher = "CEUR Workshop Proceedings",

pages = "1--9",

booktitle = "AI-CyberSec 2021 - Workshop on Artificial Intelligence and Cyber Security",

note = "AI-Cybersec Workshop 2021 : Workshop on Artificial Intelligence and Cyber Security, AI-CyberSec ; Conference date: 14-12-2021 Through 14-12-2021",

url = "https://sites.google.com/view/ai-cybersec-2021/programme?authuser=0",

}

Semi-supervised detection of Algorithmically Generated Domains using Neural Network-based Autoencoders. / Cruciani, Federico ; Moore, Samuel ; Quigley, Bronagh et al.
AI-CyberSec 2021 - Workshop on Artificial Intelligence and Cyber Security. CEUR Workshop Proceedings, 2021. p. 1-9 (CEUR Workshop Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Semi-supervised detection of Algorithmically Generated Domains using Neural Network-based Autoencoders

AU - Cruciani, Federico

AU - Moore, Samuel

AU - Quigley, Bronagh

AU - Nugent, CD

AU - Sani, Sadiq

PY - 2021/12/14

Y1 - 2021/12/14

N2 - Domain Generation Algorithms (DGA) are typically used by recent botnets to communicate with their command-and-control server, thus exacerbating the complexity of detecting them compared to older botnets using static IP addresses. As such, recent studies have been experimenting with different approaches to detect algorithmically generated domains using a variety of methods, including Deep Learning. This paper presents a Deep Learning approach based on autoencoders as a semi-supervised method requiring only legitimate domains for training. Semi-supervised methods have an advantage over supervised methods in that they require no labelled DGA data. The proposed autoencoder structure is based on a Neural Network (NN) processing the frequency of 2-grams in domain names. The method has been compared with supervised machine learning methods and cross-validated on a second unseen dataset to evaluate the generalization of results. Results confirmed an F-score of 73% on DGA detection outperforming a NN based on letter frequencies and a Random Forest approach based on 푛-grams scoring 71% and 65% respectively.

AB - Domain Generation Algorithms (DGA) are typically used by recent botnets to communicate with their command-and-control server, thus exacerbating the complexity of detecting them compared to older botnets using static IP addresses. As such, recent studies have been experimenting with different approaches to detect algorithmically generated domains using a variety of methods, including Deep Learning. This paper presents a Deep Learning approach based on autoencoders as a semi-supervised method requiring only legitimate domains for training. Semi-supervised methods have an advantage over supervised methods in that they require no labelled DGA data. The proposed autoencoder structure is based on a Neural Network (NN) processing the frequency of 2-grams in domain names. The method has been compared with supervised machine learning methods and cross-validated on a second unseen dataset to evaluate the generalization of results. Results confirmed an F-score of 73% on DGA detection outperforming a NN based on letter frequencies and a Random Forest approach based on 푛-grams scoring 71% and 65% respectively.

M3 - Conference contribution

T3 - CEUR Workshop Proceedings

SP - 1

EP - 9

BT - AI-CyberSec 2021 - Workshop on Artificial Intelligence and Cyber Security

PB - CEUR Workshop Proceedings

T2 - AI-Cybersec Workshop 2021

Y2 - 14 December 2021 through 14 December 2021

ER -

Semi-supervised detection of Algorithmically Generated Domains using Neural Network-based Autoencoders

Abstract

Publication series

Workshop

UN SDGs

Access to Document

Fingerprint

Student theses

Improving reliability in the internet of things through anomaly detection

Cite this