Malicious Domain Detection via Domain Relationship and Graph Models

Malicious domain is a vital component of various cyber attacks. Recent techniques detect malicious domains by building classifiers based on domain character features which may be easily evaded by attackers. In this paper, we propose a malicious domain detection approach based on domain relationship...

Full description

Saved in:
Bibliographic Details
Main Authors: He, Wenxuan, Gou, Gaopeng, Kang, Cuicui, Liu, Chang, Li, Zhen, Xiong, Gang
Format: Conference Proceeding
Language:English
Subjects:
Cyber Security
Domain Resolution
Graph Embedding
Malicious Domain
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malicious domain is a vital component of various cyber attacks. Recent techniques detect malicious domains by building classifiers based on domain character features which may be easily evaded by attackers. In this paper, we propose a malicious domain detection approach based on domain relationship features, PDNS features, and domain character features. The key insight is that malicious domains deploy on IP that is loosely regulated and the domains on such IP have similar network characteristics including domain relationships, resolution characteristics, and network behaviors. We find that the relationship of malicious domains is different from that of benign domains. Take this into account, we build meaningful associations among domains and extract the domains relationship features by a modified graph embedding algorithm from Passive DNS data. Besides, we mine more features from PDNS which have not been mentioned in previous work. These PDNS features can enhance the effectiveness of the classifier. Finally, we combine domain character features, PDNS features and relationship features as the feature set. We evaluate the performance of our model on a real-world dataset from DNS servers. We achieve excellent performance by applying several classifiers based on domain character features, PDNS features and relationship features with an accuracy of 94.0%, a recall of 94.3% and a precision of 93.8% in the challenging scenario where domains deploy on the same IP and malicious domains share similar character features with benign domains. We also compare our method with two state-of-the-art detection approaches and find that our approach outperforms those SOTA approaches. Based on the comparison results, we point out that our way to construct a domain relationship graph can effectively mine the domain association features and the features combined with PDNS features and domain character features can effectively identify malicious domains which are similar to benign domains.
ISSN:2374-9628
DOI:10.1109/IPCCC47392.2019.8958718