DDOFM: Dynamic malicious domain detection method based on feature mining

The domain name system is an essential part of the network, and target hosts are often attacked by malicious domain names to steal resources. Some traditional detection methods have low accuracy, poor generalization ability, and high resource overhead on model construction to deal with complex and v...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2023-07, Vol.130, p.103260, Article 103260
Main Authors: Wang, Han, Tang, Zhangguo, Li, Huanzhou, Zhang, Jian, Cai, Cheng
Format: Article
Language:English
Subjects:
DDOFM
Dynamic
Feature mining
Hidden Markov model forward algorithm
Malicious domain
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The domain name system is an essential part of the network, and target hosts are often attacked by malicious domain names to steal resources. Some traditional detection methods have low accuracy, poor generalization ability, and high resource overhead on model construction to deal with complex and variable malicious domain names. A three-level dynamic malicious domain detection method (DDOFM) is proposed in this paper. DDOFM only needs to combine a few high-order statistical features of benign domains with some DNS features, without flagging malicious samples and involving them in training. Firstly, the boundary recognition of passive DNS (PDNS) features extracted from DNS traffic is carried out to conduct an early- warning for some domains. Second, the Hidden Markov Model (HMM) forward algorithm and normal distribution probability density function are used to calculate the formation probabilities of the warned domains and their probability density values. Then the probabilities of every character in the warned domain name and the standard deviation between these probabilities are counted. Further, the probability density values and the standard deviations of these warned domain names are compared with their respective thresholds to identify the attribution of the warned domain names. Finally, if the domain name is not warned, the Jensen–Shannon divergence (JS divergence) between it and the previous domain name will be calculated. Then the local iterative threshold finding algorithm (LLTFA) proposed in this paper will be combined to determine its attribution and identify whether the host is connected to the command and control (C&C) server. Experiments show that the detection indexes of this method exceed 99% for multiple types of malicious domain names. The C&C servers can also be identified by DDOFM faster than similar methods.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2023.103260