Detecting DGA Botnet based on Malware Behavior Analysis.

DGA botnet uses the Domain Generation Algorithm to generate domains that are used to establish the connection between malware bots and malicious actors. It has become a serious threat to internet-connected systems. Detection of DGA botnets is a challenging task due to its complexity and performance issues when processing a great amount of data from real-time large-scale networks. In this paper, we propose and develop a DGA botnet detection method using the combination of the Long Short-Term Memory network (LSTM) and network traffic analysis. We also propose a set of rules that can be used for detecting various DGA malware behaviors. Our method recognizes even hard-to-detect dictionary DGAs such as suppobox and matsnu, while providing an F1-score of 0.9888.