ISBN: 978-981-11-3671-9 DOI: 10.18178/wcse.2017.06.017
Evaluation of non-Randomness DGA Detection Method to Combat Ransomware
Abstract— Since 2009, ransomware has plagued computer users. By analysing ransomware’s
communication with its controller, researchers have found out patterns used in naming the controller’s
domain. These names are generated by a Domain Generation Algorithm (DGA). It has been proposed that
DGA generated domain names appear more random than actual domains registered for a legitimate purpose.
If this was the case, we could block communication to such domains.
In this paper, we analyse the feasibility of detecting DGA generated domain names based on their
randomness. We compare a large (800 000) list of actual DGA domain names with (i) a list of most popular
domains in the internet and (ii) a list of actual queries to a domain name service. Unfortunately, it seems very
difficult to block communication with apparently random domain names. Though some DGA generated
names are apparently random, the perceived randomness of both popular domain names and actual queried
names is often greater than that of DGA domains.
Index Terms— DGA, Ransomware, Randomness.
Marko Niinimaki
Department of Computer Science, Webster University, THAILAND
Reijer Idema
JOC Consulting, Liberty Tower fl. 12A, THAILAND
Cite: Marko Niinimaki, Reijer Idema, "Evaluation of non-Randomness DGA Detection Method to Combat Ransomware," Proceedings of 2017 the 7th International Workshop on Computer Science and Engineering, pp. 100-104, Beijing, 25-27 June, 2017.