To see the other types of publications on this topic, follow the link: Malicious domain names.
Journal articles on the topic 'Malicious domain names'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 journal articles for your research on the topic 'Malicious domain names.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Yang, Cheng, Tianliang Lu, Shangyi Yan, Jianling Zhang, and Xingzhan Yu. "N-Trans: Parallel Detection Algorithm for DGA Domain Names." Future Internet 14, no. 7 (2022): 209. http://dx.doi.org/10.3390/fi14070209.
Full textAbstract:
Domain name generation algorithms are widely used in malware, such as botnet binaries, to generate large sequences of domain names of which some are registered by cybercriminals. Accurate detection of malicious domains can effectively defend against cyber attacks. The detection of such malicious domain names by the use of traditional machine learning algorithms has been explored by many researchers, but still is not perfect. To further improve on this, we propose a novel parallel detection model named N-Trans that is based on the N-gram algorithm with the Transformer model. First, we add flag bits to the first and last positions of the domain name for the parallel combination of the N-gram algorithm and Transformer framework to detect a domain name. The model can effectively extract the letter combination features and capture the position features of letters in the domain name. It can capture features such as the first and last letters in the domain name and the position relationship between letters. In addition, it can accurately distinguish between legitimate and malicious domain names. In the experiment, the dataset is the legal domain name of Alexa and the malicious domain name collected by the 360 Security Lab. The experimental results show that the parallel detection model based on N-gram and Transformer achieves 96.97% accuracy for DGA malicious domain name detection. It can effectively and accurately identify malicious domain names and outperforms the mainstream malicious domain name detection algorithms.
2
Yang, Luhui, Guangjie Liu, Weiwei Liu, Huiwen Bai, Jiangtao Zhai, and Yuewei Dai. "Detecting Multielement Algorithmically Generated Domain Names Based on Adaptive Embedding Model." Security and Communication Networks 2021 (May 31, 2021): 1–20. http://dx.doi.org/10.1155/2021/5567635.
Full textAbstract:
With the development of detection algorithms on malicious dynamic domain names, domain generation algorithms have developed to be more stealthy. The use of multiple elements for generating domains will lead to higher detection difficulty. To effectively improve the detection accuracy of algorithmically generated domain names based on multiple elements, a domain name syntax model is proposed, which analyzes the multiple elements in domain names and their syntactic relationship, and an adaptive embedding method is proposed to achieve effective element parsing of domain names. A parallel convolutional model based on the feature selection module combined with an improved dynamic loss function based on curriculum learning is proposed, which can achieve effective detection on multielement malicious domain names. A series of experiments are designed and the proposed model is compared with five previous algorithms. The experimental results denote that the detection accuracy of the proposed model for multiple-element malicious domain names is significantly higher than that of the comparison algorithms and also has good adaptability to other types of malicious domain names.
3
Wagan, Atif Ali, Qianmu Li, Zubair Zaland, et al. "A Unified Learning Approach for Malicious Domain Name Detection." Axioms 12, no. 5 (2023): 458. http://dx.doi.org/10.3390/axioms12050458.
Full textAbstract:
The DNS firewall plays an important role in network security. It is based on a list of known malicious domain names, and, based on these lists, the firewall blocks communication with these domain names. However, DNS firewalls can only block known malicious domain names, excluding communication with unknown malicious domain names. Prior research has found that machine learning techniques are effective for detecting unknown malicious domain names. However, those methods have limited capabilities to learn from both textual and numerical data. To solve this issue, we present a novel unified learning approach that uses both numerical and textual features of the domain name to classify whether a domain name pair is malicious or not. The experiments were conducted on a benchmark domain names dataset consisting of 90,000 domain names. The experimental results show that the proposed approach performs significantly better than the six comparative methods in terms of accuracy, precision, recall, and F1-Score.
4
Zhao, Hong, Zhaobin Chang, Guangbin Bao, and Xiangyan Zeng. "Malicious Domain Names Detection Algorithm Based on N-Gram." Journal of Computer Networks and Communications 2019 (February 3, 2019): 1–9. http://dx.doi.org/10.1155/2019/4612474.
Full textAbstract:
Malicious domain name attacks have become a serious issue for Internet security. In this study, a malicious domain names detection algorithm based on N-Gram is proposed. The top 100,000 domain names in Alexa 2013 are used in the N-Gram method. Each domain name excluding the top-level domain is segmented into substrings according to its domain level with the lengths of 3, 4, 5, 6, and 7. The substring set of the 100,000 domain names is established, and the weight value of a substring is calculated according to its occurrence number in the substring set. To detect a malicious attack, the domain name is also segmented by the N-Gram method and its reputation value is calculated based on the weight values of its substrings. Finally, the judgment of whether the domain name is malicious is made by thresholding. In the experiments on Alexa 2017 and Malware domain list, the proposed detection algorithm yielded an accuracy rate of 94.04%, a false negative rate of 7.42%, and a false positive rate of 6.14%. The time complexity is lower than other popular malicious domain names detection algorithms.
5
Alhogail, Areej, and Isra Al-Turaiki. "Improved Detection of Malicious Domain Names Using Gradient Boosted Machines and Feature Engineering." Information Technology and Control 51, no. 2 (2022): 313–31. http://dx.doi.org/10.5755/j01.itc.51.2.30380.
Full textAbstract:
Malicious domain names have been commonly used in recent years to launch different cyber-attacks. There are a large number of malicious domains that are registered every day and some of which are only active for brief periods of time. Therefore, the automated malicious domain names detection is needed to provide security for individuals and organisations. As new technologies continue to emerge, the detection of malicious domain names remains a challenging task. In this study, we propose a model to effectively detect malicious domain names. This is done by evaluating the performance of several machine learning algorithms and feature importance measures using a recent DNS dataset. Based on the empirical evaluation, the gradient boosted machines GBM classification with a combination of lexical and host-based features produce the most accurate detection rates of 98.8% accuracy and a low false positive rate of 0.003. In terms of feature importance, measures used in this study agree on the importance of six features, five of which are lexical in nature. Furthermore, to make the best out of these relevant features, we apply automatic feature engineering. Our results show that preprocessing the dataset using deep feature synthesis and then reducing the dimensionality improves the classifications performance as compared to using raw features. The results of this study are then verified using a challenging category of domain names, the domain generation algorithm dataset, and consistent results are obtained.
6
Desmet, Lieven, Jan Spooren, Thomas Vissers, Peter Janssen, and Wouter Joosen. "P remadoma." Digital Threats: Research and Practice 2, no. 1 (2021): 1–24. http://dx.doi.org/10.1145/3419476.
Full textAbstract:
DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious activities on the Internet. In this article, we design and evaluate P remadoma , a solution for DNS registries to predict malicious intent well before a domain name becomes operational. In contrast to blacklists, which only offer protection after some harm has already been done, this system can prevent domain names from being used before they can pose any threats. We advance the state of the art by leveraging recent insights into the ecosystem of malicious domain registrations, focusing explicitly on facilitators employed for bulk registration and similarity patterns in registrant information. We thoroughly evaluate the proposed prediction model’s performance and adaptability on an 11-month testing set and address complex and domain-specific dataset challenges. Moreover, we have successfully deployed P remadoma in the operational environment of the .eu ccTLD registry, resulting in a decline of malicious registrations. Finally, we have identified and quantified three possible evasion patterns and have observed changes in the malicious registration ecosystem since P remadoma has been operationalized.
7
Satoh, Akihiro, Yutaka Fukuda, Gen Kitagata, and Yutaka Nakamura. "A Word-Level Analytical Approach for Identifying Malicious Domain Names Caused by Dictionary-Based DGA Malware." Electronics 10, no. 9 (2021): 1039. http://dx.doi.org/10.3390/electronics10091039.
Full textAbstract:
Computer networks are facing serious threats from the emergence of malware with sophisticated DGAs (Domain Generation Algorithms). This type of DGA malware dynamically generates domain names by concatenating words from dictionaries for evading detection. In this paper, we propose an approach for identifying the callback communications of such dictionary-based DGA malware by analyzing their domain names at the word level. This approach is based on the following observations: These malware families use their own dictionaries and algorithms to generate domain names, and accordingly, the word usages of malware-generated domains are distinctly different from those of human-generated domains. Our evaluation indicates that the proposed approach is capable of achieving accuracy, recall, and precision as high as 0.9989, 0.9977, and 0.9869, respectively, when used with labeled datasets. We also clarify the functional differences between our approach and other published methods via qualitative comparisons. Taken together, these results suggest that malware-infected machines can be identified and removed from networks using DNS queries for detected malicious domain names as triggers. Our approach contributes to dramatically improving network security by providing a technique to address various types of malware encroachment.
8
Chiba, Daiki, Mitsuaki Akiyama, Takeshi Yagi, Kunio Hato, Tatsuya Mori, and Shigeki Goto. "DomainChroma: Building actionable threat intelligence from malicious domain names." Computers & Security 77 (August 2018): 138–61. http://dx.doi.org/10.1016/j.cose.2018.03.013.
Full text
9
Moskvichev, Anton, and Ksenia Moskvicheva. "Using DNS Tunneling to Transfer Malicious Software." Voprosy kiberbezopasnosti, no. 4(50) (2022): 91–99. http://dx.doi.org/10.21681/2311-3456-2022-4-91-99.
Full textAbstract:
Purpose of the article: to develop a way to increase the level of protection of an information system from an attack using DNS tunneling. Method: using entropy to identify domains and subdomains used when transferring data through a DNS tunnel. The result: a method of data transmission through the DNS protocol bypassing the information security tools is considered. A malicious file was transferred using DNS tunneling, and an analysis was made of the operation of information protection tools during transmission. Information security tools do not detect the transfer of a malicious file via the DNS protocol, but they do if it is transferred in clear text. The concept of information entropy, its role in data processing is given. By calculating the entropy for domain names, the domain used in the transmission of a malicious file through the DNS tunnel was identified. It is concluded that entropy can be used not only to detect data transfer through the DNS tunnel, but also to detect the activity of malicious software that uses random domain and subdomain names in its work. The scientific novelty lies in the fact that malicious activity is detected without using the knowledge base. There is no need to signature check each DNS request, it is enough to calculate the entropy to detect an attack.
10
Ho, Hieu Duc, and Huong Van Ho. "Technical research of detection algorithmically generated malicious domain names using machine learning methods." Journal of Science and Technology on Information security 7, no. 1 (2020): 37–43. http://dx.doi.org/10.54654/isj.v7i1.54.
Full textAbstract:
Abstract— In recent years, many malware use domain generation algorithm for generating a large of domains to maintain their Command and Control (C&C) network infrastructure. In this paper, we present an approach for detecting malicious domain names using machine learning methods. This approach is using Viterbi algorithm and dictionary for constructing feature of domain names. The approach is demonstrated using a range of legitimate domains and a number of malicious algorithmically generated domain names. The numerical results show the efficiency of this method.Tóm tắt— Trong những năm gần đây, nhiều phần mềm độc hại sử dụng thuật toán sinh tên miền tạo ra lượng lớn các tên miền để duy trì cơ sở hạ tầng mạng ra lệnh và điều khiển (C&C). Trong bài báo này, chúng tôi trình bày một cách tiếp cận để phát hiện tên miền độc hại bằng phương pháp học máy. Cách tiếp cận này sử dụng thuật toán Viterbi và tập từ điển để trích xuất các đặc trưng của tên miền. Cách tiếp cận được thể hiện bằng cách sử dụng một lượng lớn các tên miền hợp pháp và một lượng lớn tên miền độc hại được tạo ra bằng thuật toán sinh tên miền. Các kết quả thực nghiệm đã chỉ ra tính hiệu quả của phương pháp.
11
Vinayakumar, R., K. P. Soman, and Prabaharan Poornachandran. "Detecting malicious domain names using deep learning approaches at scale." Journal of Intelligent & Fuzzy Systems 34, no. 3 (2018): 1355–67. http://dx.doi.org/10.3233/jifs-169431.
Full text
12
Bubnov, Ya V., and N. N. Ivanov. "Text analysis of DNS queries for data exfiltration protection of computer networks." Informatics 17, no. 3 (2020): 78–86. http://dx.doi.org/10.37661/1816-0301-2020-17-3-78-86.
Full textAbstract:
The paper proposes effective method of computer network protection from data exfiltration by the system of domain names. Data exfiltration by Domain Name System (DNS) is an approach to conceal the transfer of confidential data to remote adversary using data encapsulation into the requesting domain name. The DNS requests that transfer stolen information from a host infected by malicious software to an external host controlled by a malefactor are considered. The paper proposes a method of detecting such DNS requests based on text classification of domain names by convolutional neural network. The efficiency of the method is based on assumption that domain names exploited for data exfiltration differ from domain names formed from words of natural language. To classify the requests in convolutional neural network the use of character embedding for representing the string of a domain name is proposed. Quality evaluation of the trained neural network used for recognition of data exfiltration through domain name system using ROC-analysis is performed.The paper presents the software architecture used for deployment of trained neural network into existing infrastructure of the domain name system targeting practical computer networks protection from data exfiltration. The architecture implies creation of response policy zones for blocking of individual requests, classified as malicious.
13
Jeng, Tzung-Han, Yi-Ming Chen, Chien-Chih Chen, and Chuan-Chiang Huang. "MD-MinerP: Interaction Profiling Bipartite Graph Mining for Malware-Control Domain Detection." Security and Communication Networks 2020 (October 29, 2020): 1–20. http://dx.doi.org/10.1155/2020/8841544.
Full textAbstract:
Despite the efforts of information security experts, cybercrimes are still emerging at an alarming rate. Among the tools used by cybercriminals, malicious domains are indispensable and harm from the Internet has become a global problem. Malicious domains play an important role from SPAM and Cross-Site Scripting (XSS) threats to Botnet and Advanced Persistent Threat (APT) attacks at large scales. To ensure there is not a single point of failure or to prevent their detection and blocking, malware authors have employed domain generation algorithms (DGAs) and domain-flux techniques to generate a large number of domain names for malicious servers. As a result, malicious servers are difficult to detect and remove. Furthermore, the clues of cybercrime are stored in network traffic logs, but analyzing long-term big network traffic data is a challenge. To adapt the technology of cybercrimes and automatically detect unknown malicious threats, we previously proposed a system called MD-Miner. To improve its efficiency and accuracy, we propose the MD-MinerP here, which generates more features with identification capabilities in the feature extraction stage. Moreover, MD-MinerP adapts interaction profiling bipartite graphs instead of annotated bipartite graphs. The experimental results show that MD-MinerP has better area under curve (AUC) results and found new malicious domains that could not be recognized by other threat intelligence systems. The MD-MinerP exhibits both scalability and applicability, which has been experimentally validated on actual enterprise network traffic.
14
Huang, XiangDong, Hao Li, Jiajia Liu, et al. "A Malicious Domain Detection Model Based on Improved Deep Learning." Computational Intelligence and Neuroscience 2022 (June 25, 2022): 1–13. http://dx.doi.org/10.1155/2022/9241670.
Full textAbstract:
With the rapid development of the Internet, malicious domain names pose more and more serious threats to many fields, such as network security and social security, and there have been many research results on malicious domain detection. This article proposes a malicious domain name detection model based on improved deep learning, which can combine the advantages of three different network models, convolutional neural network (CNN), temporal convolutional network (TCN), and long short-term memory network (LSTM) in malicious domain name detection, to obtain a better detection effect than that of the original single or two models. Experiments show that the effect of the improved deep learning model proposed in this article is better than that of the combined model of CNN and LSTM or the combined model of CNN and TCN, and the accuracy and regression rates reached 99.76% and 98.81%, respectively.
15
Luo, Xi, Yixin Li, Hongyuan Cheng, and Lihua Yin. "AGCN-Domain: Detecting Malicious Domains with Graph Convolutional Network and Attention Mechanism." Mathematics 12, no. 5 (2024): 640. http://dx.doi.org/10.3390/math12050640.
Full textAbstract:
Domain Name System (DNS) plays an infrastructure role in providing the directory service for mapping domains to IPs on the Internet. Considering the foundation and openness of DNS, it is not surprising that adversaries register massive domains to enable multiple malicious activities, such as spam, command and control (C&C), malware distribution, click fraud, etc. Therefore, detecting malicious domains is a significant topic in security research. Although a substantial quantity of research has been conducted, previous work has failed to fuse multiple relationship features to uncover the deep underlying relationships between domains, thus largely limiting their level of performance. In this paper, we proposed AGCN-Domain to detect malicious domains by combining various relations. The core concept behind our work is to analyze relations between domains according to their behaviors in multiple perspectives and fuse them intelligently. The AGCN-Domain model utilizes three relationships (client relation, resolution relation, and cname relation) to construct three relationship feature graphs to extract features and intelligently fuse the features extracted from the graphs through an attention mechanism. After the relationship features are extracted from the domain names, they are put into the trained classifier to be processed. Through our experiments, we have demonstrated the performance of our proposed AGCN-Domain model. With 10% initialized labels in the dataset, our AGCN-Domain model achieved an accuracy of 94.27% and the F1 score of 87.93%, significantly outperforming other methods in the comparative experiments.
16
Zeng, Feng. "Classification for DGA-Based Malicious Domain Names with Deep Learning Architectures." International Journal of Intelligent Information Systems 6, no. 6 (2017): 67. http://dx.doi.org/10.11648/j.ijiis.20170606.11.
Full text
17
Selvi, Jose, Ricardo J. Rodríguez, and Emilio Soria-Olivas. "Detection of algorithmically generated malicious domain names using masked N-grams." Expert Systems with Applications 124 (June 2019): 156–63. http://dx.doi.org/10.1016/j.eswa.2019.01.050.
Full text
18
FUKUSHI, Naoki, Daiki CHIBA, Mitsuaki AKIYAMA, and Masato UCHIDA. "Exploration into Gray Area: Toward Efficient Labeling for Detecting Malicious Domain Names." IEICE Transactions on Communications E103.B, no. 4 (2020): 375–88. http://dx.doi.org/10.1587/transcom.2019nrp0005.
Full text
19
Tang, Hengliang, and Chengang Dong. "Detection of malicious domain names based on an improved hidden Markov model." International Journal of Wireless and Mobile Computing 16, no. 1 (2019): 58. http://dx.doi.org/10.1504/ijwmc.2019.097426.
Full text
20
Dong, Chengang, and Hengliang Tang. "Detection of malicious domain names based on an improved hidden Markov model." International Journal of Wireless and Mobile Computing 16, no. 1 (2019): 58. http://dx.doi.org/10.1504/ijwmc.2019.10018546.
Full text
21
Zhao, Hong, Zhaobin Chang, Weijie Wang, and Xiangyan Zeng. "Malicious Domain Names Detection Algorithm Based on Lexical Analysis and Feature Quantification." IEEE Access 7 (2019): 128990–99. http://dx.doi.org/10.1109/access.2019.2940554.
Full text
22
Ndichu, Samuel, Sangwook Kim, Seiichi Ozawa, Tao Ban, Takeshi Takahashi, and Daisuke Inoue. "Detecting Web-Based Attacks with SHAP and Tree Ensemble Machine Learning Methods." Applied Sciences 12, no. 1 (2021): 60. http://dx.doi.org/10.3390/app12010060.
Full textAbstract:
Attacks using Uniform Resource Locators (URLs) and their JavaScript (JS) code content to perpetrate malicious activities on the Internet are rampant and continuously evolving. Methods such as blocklisting, client honeypots, domain reputation inspection, and heuristic and signature-based systems are used to detect these malicious activities. Recently, machine learning approaches have been proposed; however, challenges still exist. First, blocklist systems are easily evaded by new URLs and JS code content, obfuscation, fast-flux, cloaking, and URL shortening. Second, heuristic and signature-based systems do not generalize well to zero-day attacks. Third, the Domain Name System allows cybercriminals to easily migrate their malicious servers to hide their Internet protocol addresses behind domain names. Finally, crafting fully representative features is challenging, even for domain experts. This study proposes a feature selection and classification approach for malicious JS code content using Shapley additive explanations and tree ensemble methods. The JS code features are obtained from the Abstract Syntax Tree form of the JS code, sample JS attack codes, and association rule mining. The malicious and benign JS code datasets obtained from Hynek Petrak and the Majestic Million Service were used for performance evaluation. We compared the performance of the proposed method to those of other feature selection methods in the task of malicious JS code content detection. With a recall of 0.9989, our experimental results show that the proposed approach is a better prediction model.
23
SATOH, Akihiro, Yutaka NAKAMURA, Yutaka FUKUDA, Daiki NOBAYASHI, and Takeshi IKENAGA. "An Approach for Identifying Malicious Domain Names Generated by Dictionary-Based DGA Bots." IEICE Transactions on Information and Systems E104.D, no. 5 (2021): 669–72. http://dx.doi.org/10.1587/transinf.2020ntl0001.
Full text
24
Satoh, Akihiro, Yutaka Fukuda, Toyohiro Hayashi, and Gen Kitagata. "A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware." IEEE Open Journal of the Communications Society 1 (2020): 1837–49. http://dx.doi.org/10.1109/ojcoms.2020.3038704.
Full text
25
Liu, Zhanghui, Yudong Zhang, Yuzhong Chen, Xinwen Fan, and Chen Dong. "Detection of Algorithmically Generated Domain Names Using the Recurrent Convolutional Neural Network with Spatial Pyramid Pooling." Entropy 22, no. 9 (2020): 1058. http://dx.doi.org/10.3390/e22091058.
Full textAbstract:
Domain generation algorithms (DGAs) use specific parameters as random seeds to generate a large number of random domain names to prevent malicious domain name detection. This greatly increases the difficulty of detecting and defending against botnets and malware. Traditional models for detecting algorithmically generated domain names generally rely on manually extracting statistical characteristics from the domain names or network traffic and then employing classifiers to distinguish the algorithmically generated domain names. These models always require labor intensive manual feature engineering. In contrast, most state-of-the-art models based on deep neural networks are sensitive to imbalance in the sample distribution and cannot fully exploit the discriminative class features in domain names or network traffic, leading to decreased detection accuracy. To address these issues, we employ the borderline synthetic minority over-sampling algorithm (SMOTE) to improve sample balance. We also propose a recurrent convolutional neural network with spatial pyramid pooling (RCNN-SPP) to extract discriminative and distinctive class features. The recurrent convolutional neural network combines a convolutional neural network (CNN) and a bi-directional long short-term memory network (Bi-LSTM) to extract both the semantic and contextual information from domain names. We then employ the spatial pyramid pooling strategy to refine the contextual representation by capturing multi-scale contextual information from domain names. The experimental results from different domain name datasets demonstrate that our model can achieve 92.36% accuracy, an 89.55% recall rate, a 90.46% F1-score, and 95.39% AUC in identifying DGA and legitimate domain names, and it can achieve 92.45% accuracy rate, a 90.12% recall rate, a 90.86% F1-score, and 96.59% AUC in multi-classification problems. It achieves significant improvement over existing models in terms of accuracy and robustness.
26
Papadopoulos, Pavlos, Nikolaos Pitropakis, William J. Buchanan, Owen Lo, and Sokratis Katsikas. "Privacy-Preserving Passive DNS." Computers 9, no. 3 (2020): 64. http://dx.doi.org/10.3390/computers9030064.
Full textAbstract:
The Domain Name System (DNS) was created to resolve the IP addresses of web servers to easily remembered names. When it was initially created, security was not a major concern; nowadays, this lack of inherent security and trust has exposed the global DNS infrastructure to malicious actors. The passive DNS data collection process creates a database containing various DNS data elements, some of which are personal and need to be protected to preserve the privacy of the end users. To this end, we propose the use of distributed ledger technology. We use Hyperledger Fabric to create a permissioned blockchain, which only authorized entities can access. The proposed solution supports queries for storing and retrieving data from the blockchain ledger, allowing the use of the passive DNS database for further analysis, e.g., for the identification of malicious domain names. Additionally, it effectively protects the DNS personal data from unauthorized entities, including the administrators that can act as potential malicious insiders, and allows only the data owners to perform queries over these data. We evaluated our proposed solution by creating a proof-of-concept experimental setup that passively collects DNS data from a network and then uses the distributed ledger technology to store the data in an immutable ledger, thus providing a full historical overview of all the records.
27
Lin, Shaoqing, Shangping Zhong, and Kaizhi Cheng. "A Method with Pre-trained Word Vectors for Detecting Wordlist-based Malicious Domain Names." Journal of Physics: Conference Series 1757, no. 1 (2021): 012171. http://dx.doi.org/10.1088/1742-6596/1757/1/012171.
Full text
28
Chen, Shaojie, Bo Lang, Yikai Chen, and Chong Xie. "Detection of Algorithmically Generated Malicious Domain Names with Feature Fusion of Meaningful Word Segmentation and N-Gram Sequences." Applied Sciences 13, no. 7 (2023): 4406. http://dx.doi.org/10.3390/app13074406.
Full textAbstract:
Domain generation algorithms (DGAs) play an important role in network attacks and can be mainly divided into two types: dictionary-based and character-based. Dictionary-based algorithmically generated domains (AGDs) are similar in composition to normal domains and are harder to detect. Although methods based on meaningful word segmentation and n-gram sequence features exhibit good detection performance for AGDs, they are inadequate for mining meaningful word features of domain names, and the performance of hybrid detection of character-based and dictionary-based AGDs needs to be further improved. Therefore, in this paper, we first describe the composition of dictionary-based AGDs using meaningful word segmentation, introduce the standard deviation to better measure the word distribution features, and construct additional 11-dimensional statistical features for word segmentation results as a supplement. Then, by combining 3-gram and 1-gram sequence features, we improve the detection performance for both character-based and dictionary-based AGDs. Finally, we perform feature fusion of the above four kinds of features to achieve an end-to-end detection method for both kinds of AGDs. Experimental results showed that our method achieved an accuracy of 97.24% on the full dataset and better accuracy and F1 values than existing methods on both dictionary-based and character-based AGD datasets.
29
Al-Nawasrah, Ahmad, Ammar Ali Almomani, Samer Atawneh, and Mohammad Alauthman. "A Survey of Fast Flux Botnet Detection With Fast Flux Cloud Computing." International Journal of Cloud Applications and Computing 10, no. 3 (2020): 17–53. http://dx.doi.org/10.4018/ijcac.2020070102.
Full textAbstract:
A botnet refers to a set of compromised machines controlled distantly by an attacker. Botnets are considered the basis of numerous security threats around the world. Command and control (C&C) servers are the backbone of botnet communications, in which bots send a report to the botmaster, and the latter sends attack orders to those bots. Botnets are also categorized according to their C&C protocols, such as internet relay chat (IRC) and peer-to-peer (P2P) botnets. A domain name system (DNS) method known as fast-flux is used by bot herders to cover malicious botnet activities and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain names over time. Several methods have been suggested to detect fast-flux domains. However, these methods achieve low detection accuracy, especially for zero-day domains. They also entail a significantly long detection time and consume high memory storage. In this survey, we present an overview of the various techniques used to detect fast-flux domains according to solution scopes, namely, host-based, router-based, DNS-based, and cloud computing techniques. This survey provides an understanding of the problem, its current solution space, and the future research directions expected.
30
Raju, Mr B. Ravi, S. Sai likhitha, N. Deepa, and S. Sushma. "Survey on Phishing Websites Detection using Machine Learning." International Journal for Research in Applied Science and Engineering Technology 10, no. 5 (2022): 2376–81. http://dx.doi.org/10.22214/ijraset.2022.42843.
Full textAbstract:
Abstract: Phishing is a widespread method of tricking unsuspecting people into disclosing personal information by using fake websites. Phishing website URLs are designed to steal personal information such as user names, passwords, and online banking activities. Phishers employ webpages that are visually and semantically identical to legitimate websites. As technology advances, phishing strategies have become more sophisticated, necessitating the use of anti-phishing measures to identify phishing. Machine learning is an effective method for combating phishing assaults. This study examines the features utilised in detection as well as machine learning-based detection approaches. Phishing is popular among attackers because it is easier to persuade someone to click on a malicious link that appears to be legitimate than it is to break through a computer's protection measures. The malicious links in the message body are made to look like they go to the faked organisation by utilising the spoofed organization's logos and other valid material. We'll go through the characteristics of phishing domains (also known as fraudulent domains), the qualities that distinguish them from real domains, why it's crucial to detect them, and how they can be discovered using machine learning and natural language processing techniques. Keywords: Phishing, personal information, machine learning, malicious links, and phishing domain characteristics are all terms that come up when people think of phishing
31
Bubnov, Y. V., and N. N. Ivanov. "DGA domain detection and botnet prevention using Q-learning for POMDP." Doklady BGUIR 19, no. 2 (2021): 91–99. http://dx.doi.org/10.35596/1729-7648-2021-19-2-91-99.
Full textAbstract:
An effective method for preventing the operation of computer network nodes for organizing a botnet is proposed. A botnet is a collection of devices connected via the Internet for the purpose of organizing DDoS attacks, stealing data, sending spam and other malicious actions. The described method implies the detection of generated domain names in DNS queries using a neural network with parallel organization of convolutional and bidirectional recurrent layers. The effectiveness of the method is based on the assumption that generated domain names are used to create a botnet for merging. Experiments confirm that the proposed neural network is superior to the accuracy of existing counterparts on the UMUDGA dataset. The estimation of the quality of recognition of generated domain names using ROC analysis is calculated for a trained neural network. The article also formulates a model for controlling detectors using a partially observable Markov decisionmaking process to block infected nodes of a computer network. The search for the optimal policy for the formulated model by means of Q-learning of value agents is proposed. A comparative analysis of the average, minimum and maximum value of actions taken by agents in the process of interacting with the environment is carried out.
32
Anoop, Reddy Thatipalli, Aravamudu Preetham, Kartheek K., and Dennisan Aju. "Exploring and comparing various machine and deep learning technique algorithms to detect domain generation algorithms of malicious variants." Computer Science and Information Technologies 3, no. 2 (2022): 94–103. https://doi.org/10.11591/csit.v3i2.pp94-103.
Full textAbstract:
Domain generation algorithm (DGA) is used as the main source of script in different groups of malwares, which generates the domain names of points and will further be used for command-and-control servers. The security measures usually identify the malware but the domain name algorithms will be updating themselves in order to avoid the less efficient older security detection methods. The reason being the older detection methods does not use either the machine learning or deep learning algorithms to detect the DGAs. Thus, the impact of incorporating the machine learning and deep learning techniques to detect the DGA is well discussed. As a result, they can create a huge number of domains to avoid debar and henceforth, block the hackers and zombie systems with the older methods itself. The main purpose of this research work is to compare and analyse by implementing various machine learning algorithms that suits the respective dataset yielding better results. In this research paper, the obtained dataset is pre-processed and the respective data is processed by different machine learning algorithms such as random forest (RF), support vector machine (SVM), Naive Bayes classifier, H20 AutoML, convolutional neural network (CNN), long shortterm memory neural network (LSTM) for the classification. It is observed and understood that the LSTM provides a better classification efficiency of 98% and the H20 AutoML method giving the least efficiency of 75%.
33
Berman, Daniel, Anna Buczak, Jeffrey Chavis, and Cherita Corbett. "A Survey of Deep Learning Methods for Cyber Security." Information 10, no. 4 (2019): 122. http://dx.doi.org/10.3390/info10040122.
Full textAbstract:
This survey paper describes a literature review of deep learning (DL) methods for cyber security applications. A short tutorial-style description of each DL method is provided, including deep autoencoders, restricted Boltzmann machines, recurrent neural networks, generative adversarial networks, and several others. Then we discuss how each of the DL methods is used for security applications. We cover a broad array of attack types including malware, spam, insider threats, network intrusions, false data injection, and malicious domain names used by botnets.
34
Thatipalli, Anoop Reddy, Preetham Aravamudu, K. Kartheek, and Aju Dennisan. "Exploring and comparing various machine and deep learning technique algorithms to detect domain generation algorithms of malicious variants." Computer Science and Information Technologies 3, no. 2 (2022): 94–103. http://dx.doi.org/10.11591/csit.v3i2.p94-103.
Full textAbstract:
Domain generation algorithm (DGA) is used as the main source of script in different groups of malwares, which generates the domain names of points and will further be used for command-and-control servers. The security measures usually identify the malware but the domain name algorithms will be updating themselves in order to avoid the less efficient older security detection methods. The reason being the older detection methods does not use either the machine learning or deep learning algorithms to detect the DGAs. Thus, the impact of incorporating the machine learning and deep learning techniques to detect the DGA is well discussed. As a result, they can create a huge number of domains to avoid debar and henceforth, block the hackers and zombie systems with the older methods itself. The main purpose of this research work is to compare and analyse by implementing various machine learning algorithms that suits the respective dataset yielding better results. In this research paper, the obtained dataset is pre-processed and the respective data is processed by different machine learning algorithms such as random forest (RF), support vector machine (SVM), Naive Bayes classifier, H20 AutoML, convolutional neural network (CNN), long short-term memory neural network (LSTM) for the classification. It is observed and understood that the LSTM provides a better classification efficiency of 98% and the H20 AutoML method giving the least efficiency of 75%.
35
Anoop Reddy Thatipalli, Preetham Aravamudu, K. Kartheek, and Aju Dennisan. "Exploring and comparing various machine and deep learning technique algorithms to detect domain generation algorithms of malicious variants." Computer Science and Information Technologies 3, no. 2 (2022): 94–103. http://dx.doi.org/10.11591/csit.v3i2.pp94-103.
Full textAbstract:
Domain generation algorithm (DGA) is used as the main source of script in different groups of malwares, which generates the domain names of points and will further be used for command-and-control servers. The security measures usually identify the malware but the domain name algorithms will be updating themselves in order to avoid the less efficient older security detection methods. The reason being the older detection methods does not use either the machine learning or deep learning algorithms to detect the DGAs. Thus, the impact of incorporating the machine learning and deep learning techniques to detect the DGA is well discussed. As a result, they can create a huge number of domains to avoid debar and henceforth, block the hackers and zombie systems with the older methods itself. The main purpose of this research work is to compare and analyse by implementing various machine learning algorithms that suits the respective dataset yielding better results. In this research paper, the obtained dataset is pre-processed and the respective data is processed by different machine learning algorithms such as random forest (RF), support vector machine (SVM), Naive Bayes classifier, H20 AutoML, convolutional neural network (CNN), long short-term memory neural network (LSTM) for the classification. It is observed and understood that the LSTM provides a better classification efficiency of 98% and the H20 AutoML method giving the least efficiency of 75%.
36
Yang, Luhui, Jiangtao Zhai, Weiwei Liu, et al. "Detecting Word-Based Algorithmically Generated Domains Using Semantic Analysis." Symmetry 11, no. 2 (2019): 176. http://dx.doi.org/10.3390/sym11020176.
Full textAbstract:
In highly sophisticated network attacks, command-and-control (C&C) servers always use domain generation algorithms (DGAs) to dynamically produce several candidate domains instead of static hard-coded lists of IP addresses or domain names. Distinguishing the domains generated by DGAs from the legitimate ones is critical for finding out the existence of malware or further locating the hidden attackers. The word-based DGAs disclosed in recent network attack events have shown significantly stronger stealthiness when compared with traditional character-based DGAs. In word-based DGAs, two or more words are randomly chosen from one or more specific dictionaries to form a dynamic domain, these regularly generated domains aim to mimic the characteristics of a legitimate domain. Existing DGA detection schemes, including the state-of-the-art one based on deep learning, still cannot find out these domains accurately while maintaining an acceptable false alarm rate. In this study, we exploit the inter-word and inter-domain correlations using semantic analysis approaches, word embedding and the part-of-speech are taken into consideration. Next, we propose a detection framework for word-based DGAs by incorporating the frequency distribution of the words and that of part-of-speech into the design of the feature set. Using an ensemble classifier constructed from Naive Bayes, Extra-Trees, and Logistic Regression, we benchmark the proposed scheme with malicious and legitimate domain samples extracted from public datasets. The experimental results show that the proposed scheme can achieve significantly higher detection accuracy for word-based DGAs when compared with three state-of-the-art DGA detection schemes.
37
Maia, Ricardo J. M., Dustin Ray, Sikha Pentyala, et al. "An end-to-end framework for private DGA detection as a service." PLOS ONE 19, no. 8 (2024): e0304476. http://dx.doi.org/10.1371/journal.pone.0304476.
Full textAbstract:
Domain Generation Algorithms (DGAs) are used by malware to generate pseudorandom domain names to establish communication between infected bots and command and control servers. While DGAs can be detected by machine learning (ML) models with great accuracy, offering DGA detection as a service raises privacy concerns when requiring network administrators to disclose their DNS traffic to the service provider. The main scientific contribution of this paper is to propose the first end-to-end framework for privacy-preserving classification as a service of domain names into DGA (malicious) or non-DGA (benign) domains. Our framework achieves these goals by carefully designed protocols that combine two privacy-enhancing technologies (PETs), namely secure multi-party computation (MPC) and differential privacy (DP). Through MPC, our framework enables an enterprise network administrator to outsource the problem of classifying a DNS (Domain Name System) domain as DGA or non-DGA to an external organization without revealing any information about the domain name. Moreover, the service provider’s ML model used for DGA detection is never revealed to the network administrator. Furthermore, by using DP, we also ensure that the classification result cannot be used to learn information about individual entries of the training data. Finally, we leverage post-training float16 quantization of deep learning models in MPC to achieve efficient, secure DGA detection. We demonstrate that by using quantization achieves a significant speed-up, resulting in a 23% to 42% reduction in inference runtime without reducing accuracy using a three party secure computation protocol tolerating one corruption. Previous solutions are not end-to-end private, do not provide differential privacy guarantees for the model’s outputs, and assume that model embeddings are publicly known. Our best protocol in terms of accuracy runs in about 0.22s.
38
Li, Runchuan, Shuhong Chen, Jiawei Yang, and Entao Luo. "Edge-Based Detection and Classification of Malicious Contents in Tor Darknet Using Machine Learning." Mobile Information Systems 2021 (November 22, 2021): 1–13. http://dx.doi.org/10.1155/2021/8072779.
Full textAbstract:
With the increase of data in the network, the load of servers and communication links becomes heavier and heavier. Edge computing can alleviate this problem. Due to a sea of malicious contents in Darknet, it is of high research value to combine edge computing with content detection and analysis. Therefore, this paper illustrates an intelligent classification system based on machine learning and Scrapy that can detect and judge fleetly categories of services with malicious contents. Because of the nondisclosure and short survival time of Tor Darknet domain names, obtaining uniform resource locators (URLs) and resources of the network is challenging. In this paper, we focus on a network based on the Onion Router (tor) anonymous communication system. We designed a crawler program to obtain the contents of the Tor network and label them into six classes. We also construct a dataset which contains URLs, categories, and keywords. Edge computing is used to judge the category of websites. The accuracy of the classifier based on a machine learning algorithm is as high as 89%. The classifier will be used in an operational system which can help researchers quickly obtain malicious contents and categorize hidden services.
39
Komalasari, Dinny, Tri Basuki Kurniawan, Deshinta Arrova Dewi, Mohd Zaki Zakaria, Zubaile Abdullah, and Alde Alanda. "Phishing Domain Detection Using Machine Learning Algorithms." International Journal on Advanced Science, Engineering and Information Technology 15, no. 1 (2025): 318–27. https://doi.org/10.18517/ijaseit.15.1.12553.
Full textAbstract:
Phishing, a prevalent cyber threat, continues to jeopardize sensitive information by exploiting the vulnerabilities of digital platforms. This research investigates the escalating danger of phishing attacks, focusing on the creation of deceptive websites known as phishing domains. Leveraging machine learning algorithms, particularly supervised and unsupervised learning techniques, the study aims to proactively identify and classify these malicious domains by analyzing diverse factors like domain names, online content, SSL certificates, and historical data. The proposed solution involves the development of prediction models using decision trees, random forests, support vector machines, and Gradient Boosting, with the latter exhibiting the highest accuracy at 92%. The system assigns risk scores to domains based on properties such as registration details and SSL certificate validity, facilitating the real-time identification of potential phishing activities. The research addresses the critical need for data security in the face of phishing threats affecting individuals and businesses, providing a robust defense mechanism against evolving cyber threats. Recommendations for continuous model training, regular updates, diversification of dataset sources, and integration with existing security infrastructure aim to enhance the system's adaptability and resilience in countering emerging phishing threats. Overall, this study contributes to ongoing efforts in cybersecurity, offering a proactive defense mechanism against the pervasive and evolving challenges posed by phishing attacks.
40
Abu Al-Haija, Qasem, Manar Alohaly, and Ammar Odeh. "A Lightweight Double-Stage Scheme to Identify Malicious DNS over HTTPS Traffic Using a Hybrid Learning Approach." Sensors 23, no. 7 (2023): 3489. http://dx.doi.org/10.3390/s23073489.
Full textAbstract:
The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.
41
Aslin, Sushmitha R. "Phishing attack detection using gradient boosting." i-manager's Journal on Digital Forensics & Cyber Security 2, no. 1 (2024): 33. http://dx.doi.org/10.26634/jdf.2.1.20840.
Full textAbstract:
Phishing is a prevalent cyber attack that uses deceptive websites to trick individuals into revealing personal information. These sites mimic legitimate ones to steal data such as usernames, passwords, and financial details. Detecting phishing is crucial, and machine learning algorithms are effective tools for this task. Attackers favor phishing due to its effectiveness in tricking victims with authentic-looking yet malicious links, which can breach security measures. This method employs machine learning to innovate phishing website detection. However, attackers can manipulate features like HTML, DOM, and URLs using web scraping and scripting languages. A new approach using machine learning classifiers tackles these threats by analyzing internet URLs and domain names. A dataset sourced from globally recognized intelligence services and organizations facilitates streamlined feature extraction, reducing processing overhead by prioritizing URL and domain name traits. The Gradient Boosting Classifier is used on an 11,055-instance dataset with thirty-two features to classify phishing URLs, demonstrating superior accuracy compared to methods like Random Forest. Gradient boosting is highly effective across various machine learning tasks, leveraging aggregated weak learners such as decision trees for strong predictive accuracy. Its suitability for handling imbalanced datasets makes it particularly effective for phishing detection, which is crucial for distinguishing between legitimate and malicious URLs. This method enhances accuracy by extracting and comparing distinct characteristics of legitimate and phishing URLs. By focusing on URL and domain name attributes, a more effective approach to identifying phishing attempts in cybersecurity is proposed.
42
Yan, Guanghua, Qiang Li, Dong Guo, and Bing Li. "AULD: Large Scale Suspicious DNS Activities Detection via Unsupervised Learning in Advanced Persistent Threats." Sensors 19, no. 14 (2019): 3180. http://dx.doi.org/10.3390/s19143180.
Full textAbstract:
In recent years, sensors in the Internet of things have been commonly used in Human’s life. APT (Advanced Persistent Threats) has caused serious damage to network security and the sensors play an important role in the attack process. For a long time, attackers infiltrate, attack, conceal, spread, and steal information of target groups through the compound use of various attacking means, while existing security measures based on single-time nodes cannot defend against such attacks. Attackers often exploit the sensors’ vulnerabilities to attack targets because the security level of the sensors is relatively low when compared with that of the host. We can find APT attacks by checking the suspicious domains generated at different APT attack stages, since every APT attack has to use DNS to communicate. Although this method works, two challenges still exist: (1) the detection method needs to check a large scale of log data; (2) the small number of attacking samples limits conventional supervised learning. This paper proposes an APT detection framework AULD (Advanced Persistent Threats Unsupervised Learning Detection) to detect suspicious domains in APT attacks by using unsupervised learning. We extract ten important features from the host, domain name, and time from a large number of DNS log data. Later, we get the suspicious cluster by performing unsupervised learning. We put all of the domains in the cluster into the list of malicious domains. We collected 1,584,225,274 DNS records from our university network. The experiments show that AULD detected all of the attacking samples and that AULD can effectively detect the suspicious domain names in APT attacks.
43
Zou, Futai, Siyu Zhang, Weixiong Rao, and Ping Yi. "Detecting Malware Based on DNS Graph Mining." International Journal of Distributed Sensor Networks 2015 (2015): 1–12. http://dx.doi.org/10.1155/2015/102687.
Full textAbstract:
Malware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of DNS resolution. After the graph construction, we next transform the problem of malware detection to the graph mining task of inferring graph nodes’ reputation scores using the belief propagation algorithm. The nodes with lower reputation scores are inferred as those infected by malwares with higher probability. For demonstration, we evaluate the proposed malware detection approach with real-world dataset. Our real-world dataset is collected from campus DNS servers for three months and we built a DNS graph consisting of 19,340,820 vertices and 24,277,564 edges. On the graph, we achieve a true positive rate 80.63% with a false positive rate 0.023%. With a false positive of 1.20%, the true positive rate was improved to 95.66%. We detected 88,592 hosts infected by malware or C&C servers, accounting for the percentage of 5.47% among all hosts. Meanwhile, 117,971 domains are considered to be related to malicious activities, accounting for 1.5% among all domains. The results indicate that our method is efficient and effective in detecting malwares.
44
Kamalov, Bulat R., and Marina V. Tumbinskaya. "Software for detecting “hidden miners” in a browser environment." Journal Of Applied Informatics 18, no. 1 (2023): 96–110. http://dx.doi.org/10.37791/2687-0649-2023-18-1-96-110.
Full textAbstract:
Currently, a new type of information security threat is spreading – hidden mining, which uses the computing resources of users through browsers. Malicious software based on WebAssembly files unauthorizedly uses the computing resources of users of computer systems. The existing methods for detecting “hidden miners” in the browser environment are based on: dynamic analysis algorithms, however, they have a number of limitations, for example, it is required that malicious software for hidden mining work for a certain period of time, they are characterized by a large number of false positives; algorithms of browser extensions that use blacklists to prevent unauthorized access to the user’s browser environment, however, attackers often change their domain names, etc. The relevance of using special protection tools against browser-based cryptominers is beyond doubt. The purpose of this study is to increase the level of security of the browser environment of users of computer systems. Achieving this goal is possible by solving the main task - the timely automated detection of “hidden miners” in the browser environment and the prevention of unauthorized mining. The article describes software that does not depend on the browser or operating system used, is resistant to attempts to circumvent protection by intruders, will allow users to reliably recognize “hidden miners”, and increase the level of information security of a computer system. The software is based on classification algorithms implemented on the basis of a convolutional neural network. The results of the study and experimental data showed that as a result of testing the software, the recognition accuracy of “hidden miners” in the browser environment is 91.37%.
45
T, Ms MADHU, Ms MONICA M, and Ms SHYMA S. "URL BASED PHISHING DETECTION." International Scientific Journal of Engineering and Management 04, no. 01 (2025): 1–6. https://doi.org/10.55041/isjem02220.
Full textAbstract:
Phishing attacks, which deceive users into revealing sensitive information by mimicking legitimate websites, pose a growing threat in the digital age. To address this challenge, we propose a machine learning- based system for detecting phishing URLs. The system uses logistic regression in conjunction with TF-IDF (Term Frequency-Inverse Document Frequency) vectorization to analyze and classify URLs as either legitimate or phishing. By identifying suspicious patterns in URL structures, such as unusual domain names, special characters, or deceptive keywords, the model effectively predicts whether a given URL is malicious. The detection system is deployed through a web interface built with Flask, allowing users to input URLs for real-time analysis. If a URL is flagged as phishing, the system provides an alert along with specific insights into the factors that led to the decision. Additionally, the system checks the URL against a database of known phishing websites, ensuring efficient recognition of already verified threats. This project provides an easy- to-use, scalable solution for combating phishing attacks by combining machine learning techniques with web integration. It aims to enhance online security for both individual users and organizations, offering a reliable tool to prevent phishing and protect sensitive information.
46
Ozmen, Muslum Ozgur, Mehmet Oguz Sakaoglu, Jackson Bizjak, et al. "Why Am I Seeing Double? An Investigation of Device Management Flaws in Voice Assistant Platforms." Proceedings on Privacy Enhancing Technologies 2025, no. 2 (2025): 719–33. https://doi.org/10.56553/popets-2025-0084.
Full textAbstract:
In Voice Assistant (VA) platforms, when users add devices to their accounts and give voice commands, complex interactions occur between the devices, skills, VA clouds, and vendor clouds. These interactions are governed by the device management capabilities (DMC) of VA platforms, which rely on device names, types, and associated skills in the user account. Prior work studied vulnerabilities in specific VA components, such as hidden voice commands and bypassing skill vetting. However, the security and privacy implications of device management flaws have largely been unexplored. In this paper, we introduce DMC-Xplorer, a testing framework for the automated discovery of VA device management flaws. We first introduce VA description language (VDL), a new domain-specific language to create VA environments for testing, using VA and skill developer APIs. DMC-Xplorer then selects VA parameters (device names, types, vendors, actions, and skills) in a combinatorial approach and creates VA environments with VDL. It issues real voice commands to the environment via developer APIs and logs event traces. It validates the traces against three formal security properties that define the secure operation of VA platforms. Lastly, DMC-Xplorer identifies the root cause of property violations through intervention analysis to identify VA device management flaws. We exercised DMC-Xplorer on Amazon Alexa and Google Home and discovered two design flaws that can be exploited to launch four attacks. We show that malicious skills with default permissions can eavesdrop on privacy-sensitive device states, prevent users from controlling their devices, and disrupt the services on the VA cloud.
47
Zhuravchak, Danyil, Eduard Kiiko, and Valeriy Dudykevych. "Using EBPF to identify ransomware that use DGA DNS queries." Collection "Information Technology and Security" 11, no. 2 (2023): 166–74. http://dx.doi.org/10.20535/2411-1031.2023.11.2.293760.
Full textAbstract:
In today's world, where the Internet has become an integral part of the functioning of government and corporate institutions, the integrity and availability of information is becoming a key issue for many organizations and individual users. The issue of protection against crypto viruses and attacks, in particular, using DGA (Domain Generation Algorithms), a method used by attackers to automatically generate domain names for client-server (Command & Control) communication in the DNS-based virus ecosystem, is particularly relevant, making it difficult to detect and block them due to the way DNS is used in modern computer networks. Given the growing number of attacks that use DGA, there is a need to develop new methods that are faster and can analyze large traffic flows in real time and provide functionality for detecting and blocking them. eBPF (Extended Berkeley Packet Filter) is a modern tool that allows you to create small programs to monitor and analyze various aspects of the system in real time, including network traffic. These programs are executed directly in the operating system kernel and/or at the network card level. In this study, we consider the possibility of using eBPF to detect DGA activity in DNS traffic. The goal is to determine the effectiveness of real-time ransomware detection. We developed a ransomware analysis lab environment where we developed eBPF-based modules, tested them, and simulated an attack. In addition, a cloud-based data analysis environment based on Splunk was set up and rules for detecting a DGA attack were developed based on this analysis. This article presents the results of developing an eBPF-based program for analyzing DNS traffic, conducting DGA attacks, and methods for detecting them. These results can be an important contribution to the development of strategies to protect against malicious attacks in the network.
48
Kolli, Chandra Sekhar, Nihar M. Ranjan, Dharani Kumar Talapula, Vikram S. Gawali, and Siddhartha Sankar Biswas. "Multiverse fractional calculus based hybrid deep learning and fusion approach for detecting malicious behavior in cloud computing environment." Multiagent and Grid Systems 18, no. 3-4 (2023): 193–217. http://dx.doi.org/10.3233/mgs-220214.
Full textAbstract:
The tremendous development and rapid evolution in computing advancements has urged a lot of organizations to expand their data as well as computational needs. Such type of services offers security concepts like confidentiality, integrity, and availability. Thus, a highly secured domain is the fundamental need of cloud environments. In addition, security breaches are also growing equally in the cloud because of the sophisticated services of the cloud, which cannot be mitigated efficiently through firewall rules and packet filtering methods. In order to mitigate the malicious attacks and to detect the malicious behavior with high detection accuracy, an effective strategy named Multiverse Fractional Calculus (MFC) based hybrid deep learning approach is proposed. Here, two network classifiers namely Hierarchical Attention Network (HAN) and Random Multimodel Deep Learning (RMDL) are employed to detect the presence of malicious behavior. The network classifier is trained by exploiting proposed MFC, which is an integration of multi-verse optimizer and fractional calculus. The proposed MFC-based hybrid deep learning approach has attained superior results with utmost testing sensitivity, accuracy, and specificity of 0.949, 0.939, and 0.947.
49
Razaque, Abdul, Bandar Alotaibi, Munif Alotaibi, Shujaat Hussain, Aziz Alotaibi, and Vladimir Jotsov. "Clickbait Detection Using Deep Recurrent Neural Network." Applied Sciences 12, no. 1 (2022): 504. http://dx.doi.org/10.3390/app12010504.
Full textAbstract:
People who use social networks often fall prey to clickbait, which is commonly exploited by scammers. The scammer attempts to create a striking headline that attracts the majority of users to click an attached link. Users who follow the link can be redirected to a fraudulent resource, where their personal data are easily extracted. To solve this problem, a novel browser extension named ClickBaitSecurity is proposed, which helps to evaluate the security of a link. The novel extension is based on the legitimate and illegitimate list search (LILS) algorithm and the domain rating check (DRC) algorithm. Both of these algorithms incorporate binary search features to detect malicious content more quickly and more efficiently. Furthermore, ClickBaitSecurity leverages the features of a deep recurrent neural network (RNN). The proposed ClickBaitSecurity solution has greater accuracy in detecting malicious and safe links compared to existing solutions.
50
Wu, Bozhi, Sen Chen, Cuiyun Gao, et al. "Why an Android App Is Classified as Malware." ACM Transactions on Software Engineering and Methodology 30, no. 2 (2021): 1–29. http://dx.doi.org/10.1145/3423096.
Full textAbstract:
Machine learning–(ML) based approach is considered as one of the most promising techniques for Android malware detection and has achieved high accuracy by leveraging commonly used features. In practice, most of the ML classifications only provide a binary label to mobile users and app security analysts. However, stakeholders are more interested in the reason why apps are classified as malicious in both academia and industry. This belongs to the research area of interpretable ML but in a specific research domain (i.e., mobile malware detection). Although several interpretable ML methods have been exhibited to explain the final classification results in many cutting-edge Artificial Intelligent–based research fields, until now, there is no study interpreting why an app is classified as malware or unveiling the domain-specific challenges. In this article, to fill this gap, we propose a novel and interpretable ML-based approach (named XMal ) to classify malware with high accuracy and explain the classification result meanwhile. (1) The first classification phase of XMal hinges multi-layer perceptron and attention mechanism and also pinpoints the key features most related to the classification result. (2) The second interpreting phase aims at automatically producing neural language descriptions to interpret the core malicious behaviors within apps. We evaluate the behavior description results by leveraging a human study and an in-depth quantitative analysis. Moreover, we further compare XMal with the existing interpretable ML-based methods (i.e., Drebin and LIME) to demonstrate the effectiveness of XMal . We find that XMal is able to reveal the malicious behaviors more accurately. Additionally, our experiments show that XMal can also interpret the reason why some samples are misclassified by ML classifiers. Our study peeks into the interpretable ML through the research of Android malware detection and analysis.