域生成算法

攻击者可以使用域生成算法(DGA）来程序生成用于命令和控制通信以及其他用途（例如恶意应用程序分发）的域名。

DGA增加了防御者阻止，跟踪或接管命令和控制通道的难度，因为恶意软件可能会检查成千上万个域，以检查指令。

Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

标签

ID编号： T1520

战术类型： 事后访问设备

策略： 命令与控制

平台： Android，iOS

程序示例

名称	描述
Rotexy(S0411)	Rotexy(S0411) 程序性地生成用于命令和控制通信的子域。

Name	Description
Rotexy(S0411)	Rotexy(S0411) procedurally generates subdomains for command and control communication.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

由于不同DGA算法的数量，恶意软件家族的不断发展以及算法复杂性的提高，检测动态生成的域可能具有挑战性。有多种方法可以检测伪随机生成的域名，包括使用频率分析，马尔可夫链，熵，字典单词比例，元音与其他字符的比例等。 CDN域可能会由于其域名格式而触发这些检测。除了基于名称检测DGA域外，另一种用于检测可疑域的更通用方法是检查最近注册的名称或访问很少的域。

Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.[2] CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.