DGA-based Malware Communication Detection from DoH Traffic Using Hierarchical Machine Learning Analysis

Rikima MITSUHASHI; Yong JIN; Katsuyoshi IIDA; Yoshiaki TAKAI

doi:10.1587/transinf.2024NTP0004

この記事には本公開記事があります。本公開記事を参照してください。
引用する場合も本公開記事を引用してください。

DGA-based Malware Communication Detection from DoH Traffic Using Hierarchical Machine Learning Analysis

Rikima MITSUHASHI, Yong JIN, Katsuyoshi IIDA, Yoshiaki TAKAI

著者情報

キーワード: DNS over HTTPS (DoH), Encrypted domain name resolution, Network traffic classification, Hierarchical machine learning analysis, Domain Generation Algorithm (DGA)

ジャーナルフリー早期公開

論文ID: 2024NTP0004

DOI https://doi.org/10.1587/transinf.2024NTP0004

この記事には本公開記事があります。

The final version of this article is now available: Vol. E108.D (2025), No. 6 pp. 526-534

詳細

抄録

Encrypted domain name resolution is increasingly being used to protect the privacy of Internet users, but it may prevent network administrators from detecting malicious communications. Unfortunately, DGA-based malware can exploit it to hide the domain names it generates, so network administrators need a monitoring framework to maintain network security. In this paper, we propose a novel malware detection system using hierarchical machine learning analysis, which incorporates machine learning models, including XGBoost, LightGBM, CatBoost, and RGF. The evaluation results confirm that the proposed system can detect DGA-based malware communication generated by PadCrypt, Sisron, Tinba, and Zloader with 99.19% accuracy. The results showthat the proposed system can detect DGA-based malware communications from DoH traffic with sufficient accuracy to support network administrators.

責任著者(Corresponding author)

J-STAGEへの登録はこちら（無料）