Ringer: Systematic mining of malicious domains by dynamic graph convolutional network

Abstract

Malicious domains are critical resources in network security, behind which attackers hide malware to launch the malicious attacks. Therefore, blocking malicious domains is the most effective and practical way to combat and reduce hostile activities. There are three limitations in previous methods over domain classification: (1) solely based on local domain features which tend to be not robust enough; (2) lack of a large number of ground truth for model-training to get high accuracy; (3) statically learning on graph which is not scalable. In this paper, we present Ringer, a scalable method to detect malicious domains by dynamic Graph Convolutional Network (GCN). Ringer first uses querying behaviors or domain-IP resolutions to construct domain graphs, on which the dynamic GCN is leveraged to learn the node representations that integrate both information about node features and graph structure. And then, these high-quality representations are further fed to the full-connected neural network for domain classification. Notably, instead of global statically learning, we adopt time-based hash to cut graphs to small ones and inductively learn the embedding of nodes according to selectively sampling neighbors. We construct a series of experiments on a large ISP over two days and compare it with state of the arts. The results demonstrate that Ringer achieves excellent performance with a high accuracy of 96.8% on average. Additionally, we find thousands of potential malicious domains by semi-supervised learning.