Helix: DGA Domain Embeddings for Tracking and Exploring Botnets

Lior Sidi; Yisroel Mirsky; Asaf Nadler; Yuval Elovici; Asaf Shabtai

doi:10.1145/3340531.3416022

Helix: DGA Domain Embeddings for Tracking and Exploring Botnets

Lior Sidi, Yisroel Mirsky, Asaf Nadler, Yuval Elovici, Asaf Shabtai

Department of Software and Information Systems Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Botnets have been using domain generation algorithms (DGA) for over a decade to covertly and robustly identify the domain name of their command and control servers (C&C). Recent advancements in DGA detection has motivated botnet owners to rapidly alter the C&C domain and use adversarial techniques to evade detection. As a result, it has become increasingly difficult to track botnets in DNS traffic. In this paper, we present Helix, a method for tracking and exploring botnets. Helix uses a spatio-temporal deep neural network autoencoder to convert domains into numerical vectors (embeddings) which capture the DGA and seed used to create the domain. This is made possible by leveraging both convolutional (spatial) and recurrent (temporal) layers, and by using techniques such as attention mechanisms and highways. Furthermore, by using an autoencoder architecture, the network can be trained in an unsupervised manner (no labeling of data) which makes the system practical for real world deployments. In our evaluation, we found that Helix can track botnet campaigns, distinguish between DGA families and seeds, and can identify domains generated using the latest adversarial machine learning techniques. Helix is currently being used to track botnets in one of the world's largest Internet Service Providers (ISP), and we include some of the ISP's analysis work using our method.

Original language	English
Title of host publication	CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management
Publisher	Association for Computing Machinery
Pages	2741-2748
Number of pages	8
ISBN (Electronic)	9781450368599
DOIs	https://doi.org/10.1145/3340531.3416022
State	Published - 19 Oct 2020
Event	29th ACM International Conference on Information and Knowledge Management, CIKM 2020 - Virtual, Online, Ireland Duration: 19 Oct 2020 → 23 Oct 2020

Publication series

Name	International Conference on Information and Knowledge Management, Proceedings

Conference

Conference	29th ACM International Conference on Information and Knowledge Management, CIKM 2020
Country/Territory	Ireland
City	Virtual, Online
Period	19/10/20 → 23/10/20

Keywords

autoencoder
botnet
cnn
dga
dns
embedding
lstm

Access to Document

10.1145/3340531.3416022

Cite this

Sidi, L., Mirsky, Y., Nadler, A., Elovici, Y., & Shabtai, A. (2020). Helix: DGA Domain Embeddings for Tracking and Exploring Botnets. In CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management (pp. 2741-2748). (International Conference on Information and Knowledge Management, Proceedings). Association for Computing Machinery. https://doi.org/10.1145/3340531.3416022

Sidi, Lior ; Mirsky, Yisroel ; Nadler, Asaf ; Elovici, Yuval ; Shabtai, Asaf. / Helix : DGA Domain Embeddings for Tracking and Exploring Botnets. CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management. Association for Computing Machinery, 2020. pp. 2741-2748 (International Conference on Information and Knowledge Management, Proceedings).

@inproceedings{97ebf5e0edf243e7971f7c2780d8cb51,

title = "Helix: DGA Domain Embeddings for Tracking and Exploring Botnets",

abstract = "Botnets have been using domain generation algorithms (DGA) for over a decade to covertly and robustly identify the domain name of their command and control servers (C&C). Recent advancements in DGA detection has motivated botnet owners to rapidly alter the C&C domain and use adversarial techniques to evade detection. As a result, it has become increasingly difficult to track botnets in DNS traffic. In this paper, we present Helix, a method for tracking and exploring botnets. Helix uses a spatio-temporal deep neural network autoencoder to convert domains into numerical vectors (embeddings) which capture the DGA and seed used to create the domain. This is made possible by leveraging both convolutional (spatial) and recurrent (temporal) layers, and by using techniques such as attention mechanisms and highways. Furthermore, by using an autoencoder architecture, the network can be trained in an unsupervised manner (no labeling of data) which makes the system practical for real world deployments. In our evaluation, we found that Helix can track botnet campaigns, distinguish between DGA families and seeds, and can identify domains generated using the latest adversarial machine learning techniques. Helix is currently being used to track botnets in one of the world's largest Internet Service Providers (ISP), and we include some of the ISP's analysis work using our method.",

keywords = "autoencoder, botnet, cnn, dga, dns, embedding, lstm",

author = "Lior Sidi and Yisroel Mirsky and Asaf Nadler and Yuval Elovici and Asaf Shabtai",

note = "Publisher Copyright: {\textcopyright} 2020 ACM.; 29th ACM International Conference on Information and Knowledge Management, CIKM 2020 ; Conference date: 19-10-2020 Through 23-10-2020",

year = "2020",

month = oct,

day = "19",

doi = "10.1145/3340531.3416022",

language = "English",

series = "International Conference on Information and Knowledge Management, Proceedings",

publisher = "Association for Computing Machinery",

pages = "2741--2748",

booktitle = "CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management",

}

Sidi, L, Mirsky, Y, Nadler, A, Elovici, Y & Shabtai, A 2020, Helix: DGA Domain Embeddings for Tracking and Exploring Botnets. in CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management. International Conference on Information and Knowledge Management, Proceedings, Association for Computing Machinery, pp. 2741-2748, 29th ACM International Conference on Information and Knowledge Management, CIKM 2020, Virtual, Online, Ireland, 19/10/20. https://doi.org/10.1145/3340531.3416022

Helix : DGA Domain Embeddings for Tracking and Exploring Botnets. / Sidi, Lior; Mirsky, Yisroel; Nadler, Asaf; Elovici, Yuval ; Shabtai, Asaf.

CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management. Association for Computing Machinery, 2020. p. 2741-2748 (International Conference on Information and Knowledge Management, Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Helix

T2 - 29th ACM International Conference on Information and Knowledge Management, CIKM 2020

AU - Sidi, Lior

AU - Mirsky, Yisroel

AU - Nadler, Asaf

AU - Elovici, Yuval

AU - Shabtai, Asaf

PY - 2020/10/19

Y1 - 2020/10/19

N2 - Botnets have been using domain generation algorithms (DGA) for over a decade to covertly and robustly identify the domain name of their command and control servers (C&C). Recent advancements in DGA detection has motivated botnet owners to rapidly alter the C&C domain and use adversarial techniques to evade detection. As a result, it has become increasingly difficult to track botnets in DNS traffic. In this paper, we present Helix, a method for tracking and exploring botnets. Helix uses a spatio-temporal deep neural network autoencoder to convert domains into numerical vectors (embeddings) which capture the DGA and seed used to create the domain. This is made possible by leveraging both convolutional (spatial) and recurrent (temporal) layers, and by using techniques such as attention mechanisms and highways. Furthermore, by using an autoencoder architecture, the network can be trained in an unsupervised manner (no labeling of data) which makes the system practical for real world deployments. In our evaluation, we found that Helix can track botnet campaigns, distinguish between DGA families and seeds, and can identify domains generated using the latest adversarial machine learning techniques. Helix is currently being used to track botnets in one of the world's largest Internet Service Providers (ISP), and we include some of the ISP's analysis work using our method.

AB - Botnets have been using domain generation algorithms (DGA) for over a decade to covertly and robustly identify the domain name of their command and control servers (C&C). Recent advancements in DGA detection has motivated botnet owners to rapidly alter the C&C domain and use adversarial techniques to evade detection. As a result, it has become increasingly difficult to track botnets in DNS traffic. In this paper, we present Helix, a method for tracking and exploring botnets. Helix uses a spatio-temporal deep neural network autoencoder to convert domains into numerical vectors (embeddings) which capture the DGA and seed used to create the domain. This is made possible by leveraging both convolutional (spatial) and recurrent (temporal) layers, and by using techniques such as attention mechanisms and highways. Furthermore, by using an autoencoder architecture, the network can be trained in an unsupervised manner (no labeling of data) which makes the system practical for real world deployments. In our evaluation, we found that Helix can track botnet campaigns, distinguish between DGA families and seeds, and can identify domains generated using the latest adversarial machine learning techniques. Helix is currently being used to track botnets in one of the world's largest Internet Service Providers (ISP), and we include some of the ISP's analysis work using our method.

KW - autoencoder

KW - botnet

KW - cnn

KW - dga

KW - dns

KW - embedding

KW - lstm

UR - http://www.scopus.com/inward/record.url?scp=85095864896&partnerID=8YFLogxK

U2 - 10.1145/3340531.3416022

DO - 10.1145/3340531.3416022

M3 - Conference contribution

AN - SCOPUS:85095864896

T3 - International Conference on Information and Knowledge Management, Proceedings

SP - 2741

EP - 2748

BT - CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management

PB - Association for Computing Machinery

Y2 - 19 October 2020 through 23 October 2020

ER -

Sidi L, Mirsky Y, Nadler A, Elovici Y , Shabtai A. Helix: DGA Domain Embeddings for Tracking and Exploring Botnets. In CIKM 2020 - Proceedings of the 29th ACM International Conference on Information and Knowledge Management. Association for Computing Machinery. 2020. p. 2741-2748. (International Conference on Information and Knowledge Management, Proceedings). https://doi.org/10.1145/3340531.3416022

Helix: DGA Domain Embeddings for Tracking and Exploring Botnets

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this