Chengwei Peng, Xiao-chun Yun, Yongzheng Zhang, Shuhao Li, Jun Xiao
{"title":"Discovering Malicious Domains through Alias-Canonical Graph","authors":"Chengwei Peng, Xiao-chun Yun, Yongzheng Zhang, Shuhao Li, Jun Xiao","doi":"10.1109/Trustcom/BigDataSE/ICESS.2017.241","DOIUrl":null,"url":null,"abstract":"Malicious domains play a vital component in various cyber crimes. Most of the prior works depend on DNS A (address) records to detect the malicious domains, which are directly resolved to IP addresses. In this paper, we propose a malicious domain detection method focusing on the domains that are not resolved to IP addresses directly but only appear in DNS CNAME (canonical name) records. This kind of domains occupy 18.39% of the total domains in our 1530-days-long DNS traffic dataset collected from 217 DNS servers. In addition, the real-world dataset shows that domains connected with malicious ones through DNS CNAME records tend to be malicious too. Based on this observation, our proposal can identify the illegal domains by computing their maliciousness probabilities. The experiments demonstrate the high detection performance of our solution. It achieves the accuracy, on average, over 97.25% true positive rate with less than 0.027% false positive rate. Moreover, the proposal performs near real time detections. Our work can help network attack defenders to build a more robust domain monitoring system.","PeriodicalId":170253,"journal":{"name":"2017 IEEE Trustcom/BigDataSE/ICESS","volume":"69 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Trustcom/BigDataSE/ICESS","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.241","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12
Abstract
Malicious domains play a vital component in various cyber crimes. Most of the prior works depend on DNS A (address) records to detect the malicious domains, which are directly resolved to IP addresses. In this paper, we propose a malicious domain detection method focusing on the domains that are not resolved to IP addresses directly but only appear in DNS CNAME (canonical name) records. This kind of domains occupy 18.39% of the total domains in our 1530-days-long DNS traffic dataset collected from 217 DNS servers. In addition, the real-world dataset shows that domains connected with malicious ones through DNS CNAME records tend to be malicious too. Based on this observation, our proposal can identify the illegal domains by computing their maliciousness probabilities. The experiments demonstrate the high detection performance of our solution. It achieves the accuracy, on average, over 97.25% true positive rate with less than 0.027% false positive rate. Moreover, the proposal performs near real time detections. Our work can help network attack defenders to build a more robust domain monitoring system.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
