Devil’s DGA
Abstract
Botnets are a collection of devices that have been infected with malware to grant
control to a cyber attacker over that device. Botnets are primarily operated over the
internet, where the devices can contact the cyber attacker to receive instructions. The
existence of these botnets can cause massive issues for not only the owner of the device,
but for anyone who uses the internet. Network detection algorithms have shown promise in
previous works as a possible solution for combating botnets. These detection algorithms
search for common botnet activity like domain generation algorithms (DGA) which botnets
use to find the web address to contact the cyber attacker. In this paper we will contest one
of these network detection algorithms. Our proposal is based on the idea of a Devil’s
Advocate. A Devil’s Advocate is a person, or machine learning algorithm in this case, that
contests an idea in order to test the strength of the idea. Thus, we propose Devil’s DGA, a
Deep Reinforcement Algorithm that searches for a possible modification the attacker can
make to avoid a network detection algorithm. Devil’s DGA takes a known DGA and
modifies the algorithm’s features to create a new DGA that can avoid detection algorithms.
We show that Devil’s DGA is also able to achieve detection rates as low as 1.1% Devil’s
DGA is also able to find a means to avoid detection in less than 28 seconds.
Description
Thesis (M.S.)-- Wichita State University, College of Engineering, Dept. of Electrical Engineering and Computer Science