ABSTRACT
Recently, detecting botnets and especially DGA botnets has been the research interest of many researchers worldwide because of botnets’ wide spreading, high sophistication and serious consequences to many organizations and users. Several approaches based on statistics and machine learning techniques to detect DGA botnets have been proposed. The key idea of these approaches is to construct detection models to classify legitimate domain names and botnet generated domain names. Although the initial results are promising, the false alarm rates of these approaches are still high. This paper extends the machine learning-based detection model proposed by a previous research by adding new domain classification features in order to reduce the false alarm rates as well as to increase the detection rate. Extensive experiments on a large dataset of domain names used by various DGA botnets confirm that the improved detection model outperforms the original model and some other previous DGA botnet detection models. The proposed model’s false alarm rate is less than 3.02% and its overall detection accuracy and the F1-score are both at 97.03%.
Acknowledgments
Authors thank the Cyber Security Lab, Posts and Telecommunications Institute of Technology, Hanoi, Vietnam for the facility support to complete the research project.