Multi-Confirmations and DNS Graph Mining for Malicious Domain Detection

Abstract

The Internet criminals use domain name service (DNS) as cornerstone for variety of malicious activities. Typically, attackers register domains name to locate their C&C (command and control servers) for spam mails, ddos attacks, etc. There are thousands of cyber attacks happening every day and the number of those increase with exponential growth, which becomes an urgent matter for cyber security. To tackle this issue, several recent techniques have been proposed to identify malicious domains. Most of them use DNS data which contains much of global information cannot be controlled by attackers. Hence, using labeled domains to identify malicious domains relying on their association by analyzing history log is reasonable. Besides, the graph is usually used to present the relationship between objects and many powerful algorithms have been successfully implemented on graph in literature. So, a method with modified version of the Belief-Propagation algorithm to detect malicious domains based on a graph of domains and hosts IPs were proposed in our previous paper. In addition, graph inference is also applied with many different methods with very impressive results. However, these methods cannot handle all domains on the graph because the domains blacklist does not cover all graph components. This can be considered a bottle neck of the methods proposed. To solve this problem, we propose a new method by extending the previous work. This paper proposes a new approach which employs the law of total probability based on relationship between domains and clients to calculate malicious score of domains. This paper not only uses new score to label for domain but also combines with the previous score. The scores from the two methods are combined via a weighted sum to arrive at a score for each domain. The study shows high performance in malicious domain prediction on test case with accuracy, precision and recall as: 97.6%, 99.2% and 93.1%. This technique can discover huge potential malicious domains by mining on small knowledge data (black and white list domain) with highly precision. It indicates that the proposal technique is strongly effective in detecting malicious domains.