Detecting Malicious Domains using the Splunk Machine Learning Toolkit

Malicious domains are often hidden amongst benign DNS requests. Given that DNS traffic is generally permitted, blocking malicious requests is a challenge for most network defenses. Using machine learning to classify DNS requests enables a scalable alternative to programmable blocklists. Studies in t...

Full description

Saved in:
Bibliographic Details
Main Authors: Cersosimo, Michelle, Lara, Adrian
Format: Conference Proceeding
Language:English
Subjects:
Analytical models
Data models
Data visualization
Domain Classification
Feature Engineering
Feature extraction
Machine Learning
Machine learning algorithms
Phishing
Prediction algorithms
Security
Splunk
Traffic Classification
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malicious domains are often hidden amongst benign DNS requests. Given that DNS traffic is generally permitted, blocking malicious requests is a challenge for most network defenses. Using machine learning to classify DNS requests enables a scalable alternative to programmable blocklists. Studies in this field often reduce their dataset scope to a a single attack behavior. However, organizations are being hit by a myriad of attack patterns across multiple objectives, reducing the scope means closing the door to classifier operationalization in a real-world environment. In this paper, we propose a broader and more challenging scenario for our dataset by combining the four DNS malicious behaviors: malware, phishing, spam and botnet with legitimate domains samples. We use Splunk and its Machine Learning Toolkit to create, test and validate our classifier. We extract 12 static features from the domain name and analyze their weight on the prediction. We compared two supervised learning algorithms and measure their accuracy for such challenging environment. We obtained an 88% of accuracy by using Random Forest algorithm against Decision Tree 87%.
ISSN:2374-9709
DOI:10.1109/NOMS54207.2022.9789899