Akamai Diversity

Akamai Security Intelligence
& Threat Research

Adversarial DGA - Is It Out There?

The Caveats of Inline DGA Mitigation

Domain generation algorithms (DGAs) are often implemented by botnets to produce a large number of domain names that  bots will use to communicate with their command and control (C2) servers. Accordingly, identifying algorithmically generated domains (AGD) in network traffic is a key aspect for analyzing, detecting and possibly mitigating botnet behavior. There are three main approaches for identifying AGDs: (1) predictive mitigation, (2) offline detection, and (3) inline mitigation.

Predictive mitigation is when a DGA and its secret input seed are executed in advance by a security system to generate an AGD that will appear in the future, and mitigate them as soon as they are requested on the security perimeter. This approach is highly accurate as it generates the exact lists of AGD to be queried, which rarely collides with legitimate domain names. Nevertheless, it requires resources such as the DGA code and secret input to be available via reverse engineering that must be performed by security experts (see [1]) and possibly brute-forcing of seeds that requires rich computational resources (see [2][3]).

Offline detection is another approach that complements predictive mitigation by using machine learning to detect AGD whose DGA code or seed are not available. Offline detection systems often focus on non-resolving, non-registered, or newly seen domains that are unreadable and are queried in bursts, all of which are often associated with AGD (see [4][5]). This behavior is strongly associated with AGD, and therefore provides acceptable rates of false positives and explainable results. The main limitation of offline DGA detection systems is that the data collection of additional network traffic and registration patterns that provide the context takes time, and thus can be used only for detection and never for mitigation. This is where inline DGA mitigation comes in.

Inline DGA mitigation is a relatively new approach that emerged with the rise of deep neural networks. These are utilized to identify AGD based merely on the domain names without any additional context (see [6][7][8]). The results of inline DGA mitigation studies indicate that these models are capable of distinguishing legitimate domain names from known AGD with superb accuracy. However, there's a major question that was left unanswered by these studies - how would inline DGA detection models deal with adversarial examples (i.e., malicious domain names that were carefully crafted to "fool" these models and be classified as benign)?

Adversarial Domain Generation Algorithms

Adversarial learning is a field in machine learning that deals with generating data samples (a.k.a adversarial samples) that are crafted to cause a misclassification by a targeted machine learning model. Notorious examples of adversarial samples were previously published to indicate how an autonomous car can be tricked to think a stop sign is another sign, or an image classification model to identify a panda bear as a gibbon [10]. Several adversarial models were recently introduced against inline DGA detection models.

DeepDGA [11] is the first work that applies adversarial learning to the field of DGA detection, by using generative adversarial network (GAN) to generate domain names that appear as if they were sampled from the benign domain list of Alexa Top 1M domains [15]. DeepDGA was originally designed as a mechanism to improve the robustness of inline DGA detection models against overfitting, and not as an attack. However, there are not many required changes to use it offensively.

MaskDGA [12] is another study that in, contrast to DeepDGA, was designed as a practical attack, by applying gradient-based adversarial techniques to existing DGAs.  MaskDGA was evaluated on four state-of-the-art inline DGA classifiers. The results of the study indicates that DGA classification models are extremely vulnerable to gradient-based attacks which cause them to misclassify more than half of the crafted AGD, thus establishing it as the most effective adversarial DGA.

Charbot [13] is  recent research that provides a simple and efficient technique in which benign domain names are sampled from the first 100k records of the Alexa Top 1M list [14] so that their TLD is selected at random and two arbitrary characters are uniformly resampled from the alphabet of letters, digits and hyphens (LDH). Accordingly, while using the same seed, both on client and server side, Charbot would require only several lines of code to be applied within a botnet while providing good results.

Are There Adversarial DGA "in the Wild"?

Akamai's security products implement several methods for DGA detection, including predictive mitigation [2][3] and offline detection [4][15]. Following every offline detection, we apply an algorithm on detected AGDs to classify the botnet they originated from. In some cases, the observed AGDs do not match the pattern of any publicly known botnet (per [16]) and thus we provide them with a designated name.

Is it possible that a detected AGD that was classified as unknown is actually a product of adversarial DGA? This question might remain unanswered for a while. To better assist with answering this question, we share some of these custom name detections, so that readers might be able to share their insights about these domains and potentially about their relation to adversarial DGAs.

AGD Family #1:

The first family of AGD appears on an hourly basis by hundreds of users in our ISP traffic. All of the domain names alternate between odd characters ('a','c','e'..) and even characters ('b', 'd','f'..,) which is common in DGA that use a linear congruential generator (LCG) pseudorandom number generator such as Vawtrak or Corebot. The domain names are of varying lengths with the .com top-level domain. Some domains appear below for example:


AGD Family #2:

The second family appears also appear on an hourly basis by users in our ISP traffic. Domain names in this family have a length of 12-23 characters, and top-level domains used are: .info, .ru, .xyz. Some domains appear below for example:



Adversarial DGA are attacks against inline DGA classification models. We describe three such attacks that were published recently and a major question that arises is whether they are actually used by attackers. Though this question remains unanswered, we share two families of AGD that have been detected by Akamai's security products and are not tied to any known botnet up to date and thus might be related to adversarial DGA. 


[1] - Plohmann, Daniel, et al. "A comprehensive measurement study of domain generating malware." 25th {USENIX} Security Symposium ({USENIX} Security 16). 2016.

[2] - https://securityboulevard.com/2019/02/ramnit-in-the-uk/

[3] - https://www.botconf.eu/2017/math-gpu-dns-cracking-locky-seeds-in-real-time-without-analyzing-samples/

[4] - https://www.botconf.eu/2017/augmented-intelligence-to-scale-humans-fighting-botnets/

[5] - Antonakakis, Manos, et al. "From throw-away traffic to bots: detecting the rise of DGA-based malware." Presented as part of the 21st {USENIX} Security Symposium ({USENIX} Security 12). 2012.

[6] - Bilge, Leyla, et al. "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis." Ndss. 2011.

[7] - Woodbridge, Jonathan, et al. "Predicting domain generation algorithms with long short-term memory networks." arXiv preprint arXiv:1611.00791 (2016).

[8] - Yu, Bin, et al. "Character level based detection of DGA domain names." 2018 International Joint Conference on Neural Networks (IJCNN). IEEE, 2018.

[9] - Yu, Bin, et al. "Inline DGA detection with deep networks." 2017 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE, 2017.

[10]  https://openai.com/blog/adversarial-example-research/

[11] - Anderson, Hyrum S., Jonathan Woodbridge, and Bobby Filar. "DeepDGA: Adversarially-tuned domain generation and detection." Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. ACM, 2016.

[12] - Sidi, Lior, Asaf Nadler, and Asaf Shabtai. "MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses." arXiv preprint arXiv:1902.08909(2019).

[13] - Peck, Jonathan, et al. "CharBot: A Simple and Effective Method for Evading DGA Classifiers." arXiv preprint arXiv:1905.01078 (2019).

[14] - https://www.alexa.com/topsites

[15] - https://blogs.akamai.com/sitr/2019/04/does-dns-data-really-matter.html

[16] - https://data.netlab.360.com/dga/