Abstract

Domain Generation Algorithms (DGAs) are one of the most effective strategies for malware to obtain a connection with the adversary's Command and Control (C2) server. Moreover, the growing number of DGA families makes it increasingly challenging for defense strategies to promptly identify the DGA family behind a given compromise. State-of-the-art high-dimensional DGA detection models perform poorly in such multiclass classification scenarios because their domain name-based features fail to distinguish between DGA families. To this extent, this paper proposes a novel framework that harnesses the flexibility, per-packet granularity, and Terabits per second (Tbps) processing capabilities of P4 Programmable Data Plane (PDP) switches to swiftly and accurately classify DGA families. In particular, the P4 PDP switch is leveraged to extract a combination of unique network heuristics and domain name features through shallow and Deep Packet Inspection (DPI) with minimal throughput reduction. Such collected features cannot be tracked on commodity hardware without significantly degrading the throughput in high-speed networks, nor on traditional layer 2/3 switches due to their limited and fixed functionalities. We crawled hundreds of Gigabytes (GBs) of malware samples from different sources to obtain instances of 50 DGA families and show that the proposed approach can promptly classify each family with high accuracy. Such a reliable multiclass classification enables the immediate halting of malicious communications while allowing network operators to initiate appropriate mitigation, incident management, and provisioning strategies.