WCSE 2017
ISBN: 978-981-11-3671-9 DOI: 10.18178/wcse.2017.06.017

Evaluation of non-Randomness DGA Detection Method to Combat Ransomware

Marko Niinimaki, Reijer Idema

Abstract— Since 2009, ransomware has plagued computer users. By analysing ransomware’s communication with its controller, researchers have found out patterns used in naming the controller’s domain. These names are generated by a Domain Generation Algorithm (DGA). It has been proposed that DGA generated domain names appear more random than actual domains registered for a legitimate purpose. If this was the case, we could block communication to such domains. In this paper, we analyse the feasibility of detecting DGA generated domain names based on their randomness. We compare a large (800 000) list of actual DGA domain names with (i) a list of most popular domains in the internet and (ii) a list of actual queries to a domain name service. Unfortunately, it seems very difficult to block communication with apparently random domain names. Though some DGA generated names are apparently random, the perceived randomness of both popular domain names and actual queried names is often greater than that of DGA domains.

Index Terms— DGA, Ransomware, Randomness.

Marko Niinimaki
Department of Computer Science, Webster University, THAILAND
Reijer Idema
JOC Consulting, Liberty Tower fl. 12A, THAILAND


Cite: Marko Niinimaki, Reijer Idema, "Evaluation of non-Randomness DGA Detection Method to Combat Ransomware," Proceedings of 2017 the 7th International Workshop on Computer Science and Engineering, pp. 100-104, Beijing, 25-27 June, 2017.