Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences

Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences

연구 분야: Safety

학회: International Conference on Availability, Reliability and Security

For a few years, malware with tunneling (or: covert channel) capabilities has been on the rise. While malware research led to several methods and innovations, the detection and differentiation of malware solely based on its DNS tunneling features is still in its infancy. Moreover, no work so far has used the DNS tunneling traffic to gain knowledge over the current actions taken by the malware. In this paper, we present Domainator, an approach to detect and differentiate state-of-the-art malware and DNS tunneling tools without relying on trivial (but quickly altered) features such as “magic bytes” that are embedded into subdomains. Instead, we apply an analysis of sequential patterns to identify specific types of malware. We evaluate our approach with 7 real-world malware samples and tunneling tools and can identify the particular malware based on its DNS traffic. We further infer the rough behavior of the particular malware through its DNS tunneling artifacts. Finally, we compare our Domainator with related methods.