ABSTRACT
This chapter focuses on supervised or signature-based approaches and explain their possible limitations. It discusses the unsupervised techniques, usually retrieved by collecting the domain name system (DNS) traffic of a single network. The linguistic and semantic features of the collected unresolved and resolved domains are then extracted in order to cluster them and identify the specific bot. The chapter provides an exhaustive overview of state-of-the-art domain generation algorithms (DGAs) detection methods. Among the number of different approaches, DNS-based analysis is one of the most appropriate to obtain quick responses, since it does not need file dumps and requires only the analysis of a small part of the network traffic. The proposed DGA detection algorithm has been deployed in aramis, a network security monitoring platform able to automatically identify a wide range of malware and attacks in near real time, through near real-time monitoring of a single network.
