Devil’s DGA

Abstract

Botnets are a collection of devices that have been infected with malware to grant control to a cyber attacker over that device. Botnets are primarily operated over the internet, where the devices can contact the cyber attacker to receive instructions. The existence of these botnets can cause massive issues for not only the owner of the device, but for anyone who uses the internet. Network detection algorithms have shown promise in previous works as a possible solution for combating botnets. These detection algorithms search for common botnet activity like domain generation algorithms (DGA) which botnets use to find the web address to contact the cyber attacker. In this paper we will contest one of these network detection algorithms. Our proposal is based on the idea of a Devil’s Advocate. A Devil’s Advocate is a person, or machine learning algorithm in this case, that contests an idea in order to test the strength of the idea. Thus, we propose Devil’s DGA, a Deep Reinforcement Algorithm that searches for a possible modification the attacker can make to avoid a network detection algorithm. Devil’s DGA takes a known DGA and modifies the algorithm’s features to create a new DGA that can avoid detection algorithms. We show that Devil’s DGA is also able to achieve detection rates as low as 1.1% Devil’s DGA is also able to find a means to avoid detection in less than 28 seconds.