LagProber: Detecting DGA-based malware by using query time lag of non-existent domains

Abstract

Domain Generation Algorithm (DGA) has been outfitted by various malware families to extend the resistance to the blacklist-based techniques. A lot of previous approaches have been developed to detect the DGA-based malware based on the lexical property of the random generated domains. Unfortunately, attackers can adjust their DGAs to produce domains by simulating the character distribution of popular domains or words and thus can evade the detection of these approaches. In this work, we develop an approach from a novel perspective, i.e., the query time lags of non-existent domains (NXDomain), to mitigate DGA-based malware without the lexical property. The key insight is that, unlike the benign hosts, the hosts infected by the same malware families will query a lot of NXDomains in inherent time lags. We design a system, LagProber, to detect infected hosts by analyzing the distribution of time lags. Our experiment with a week of real world DNS traffic reveals that LagProber is able to detect the infected hosts with low false positive rate.