Classification of malware generated domain names

摘要

Techniques are presented herein that combine a host-based analysis of an executable file on a host computer with a network-based analysis, i.e., an analysis of domain names to detect malware generated domain names that are used by the malicious executable files to establish malicious network connections. A server receives information from a host computer about an executable file that, when executed on the host computer, initiates a network connection. The server also receives information about the network connection itself. The server analyzes the information about the executable file to determine whether the executable file has a malicious disposition. Depending on a disposition of the executable file, the server analyzes the information about the network connection and determines whether the network connection is malicious.

主权项

1. A method comprising:
receiving information about an executable file residing on a host computer that, when executed on the host computer, initiates a network connection; receiving information about the network connection, including a domain name included in network traffic associated with the network connection; analyzing the information about the executable file to determine whether the executable file has an unknown disposition; upon determining that the executable file has the unknown disposition, analyzing the information about the network connection to determine whether the network connection is malicious based on whether the domain name is generated by a domain generation algorithm; and classifying the network connection as being malicious when it is determined that the domain name is generated by the domain generation algorithm.