Botnet detection: a system for identifying DGA-based botnets using LightGBM

Abstract

Botnets present a major challenge to detecting anomalies in domain generation algorithms (DGAs). Botmasters use DGAs to create numerous domain names to communicate with command-and-control servers, complicating the detection process. Traditional blacklisting methods struggle to effectively identify anomalous DGA domain names amid the vast number of randomly generated domains, leading to a greater risk of detection being evaded. The proliferation of DGA-based botnets has created an urgent need for robust detection methods. Various techniques and attributes have been utilised to categorise different DGA families, yet the dynamic nature of DGA domain names renders the current blacklisting algorithms ineffective. Additionally, the dynamic characteristics of DGAs further complicate classification, emphasising the need for machine learning models to improve detection accuracy and enhance cyber defence. This study proposes a robust solution to address the challenges posed by DGA-based botnets by developing an innovative machine learning-based model for domain name classification. The model leverages the light gradient boosting algorithm (LightGBM) and integrates n-gram features to enhance the detection of malicious DGA domains. This approach offers superior accuracy, adaptability, and efficiency in identifying and classifying anomalous domain names, achieving 96% precision when detecting true DGA domains. This system represents a significant advancement in cybersecurity and anomaly detection.