Panpan Zhang,Tingwen Liu,Yang Zhang,Jing Ya,Jinqiao Shi,Yubin Wang

DOI: https://doi.org/10.1016/j.procs.2017.05.204

2017-01-01

Abstract:Malicious domains usually refer to a series of illegal activities, posing threats to people's privacy and property. Therefore, the problem of detecting malicious domains has aroused the widespread concern. This paper introduces a novel approach named DomainWatcher to detect malicious domains based on local and global textual features. Except for the traditional lexical features of domains, we introduce two types of global textual features, namely imitation features and bigram features, by measuring the similarity between tested domains and known domains. Experimental results on real-world data show that DomainWatcher can achieve high precision rate, recall rate and F1-measure with low consumption. (C) 2017 The Authors. Published by Elsevier B.V.

Guolin Tan,Peng Zhang,Lei Zhang,Yu Zhang,Chuang Zhang,Qingyun Liu,Xinran Liu

DOI: https://doi.org/10.1109/issrew.2019.00040

2019-01-01

Abstract:Malicious domain identification is an important task in the field of cyberspace security. However, most of existing work for this task heavily relies on expert experience when constructing machine learning features. What makes matters worse is that these features can be deliberately changed by attackers. As a result, such malicious domain identification methods are easily bypassed by cyber criminals. To solve this problem, in this paper, we propose a novel method for malicious domain identification by effectively learning time series shapelets, the discriminative local patterns of time series. More specifically, our method consists of two main components: 1) modeling user's habits of accessing domains by learning shapelets from domain time series. As the domain time series is generated by the crowd visiting websites, the learned user's habits of accessing domains can potentially reflect what type of service a domain provides, such as pornography, gambling and so on. 2) an outlier correction algorithm designed for a single time series and independent of the model which can enhance the robustness of shapelet initialization. We integrate shapelet learning and outlier correction in our model. Extensive experiments on real-world dataset demonstrates that our proposed method has better performance compared with state-of-the-art methods.

Kai Lei,Qiuai Fu,Jiake Ni,Feiyang Wang,Min Yang,Kuai Xu

DOI: https://doi.org/10.1109/ICDCS.2019.00066

2019-01-01

Abstract:The last decade has witnessed the explosive growth of malicious Internet domains which serve as the fundamental infrastructure for establishing advanced persistent threat command and control communication channels or hosting phishing Web sites. Given the big data nature of Internet traffic data and the ability of algorithmically generating domains and acquiring and registering the domains in a near-automated fashion, detecting malicious domains in real-time is a daunting task for security analysts and network operators. In this paper, we introduce bipartite graphs to capture the interactions between end hosts and domains, identify associated IP addresses of domains, and characterize time-series patterns of DNS queries for domains, and explore one-mode projections of these bipartite graphs for modeling the behavioral, IP-structural, and temporal similarities between domains. We employ graph embedding technique to automatically learn dynamic and discriminative feature representations for over 10,000 labeled domains, and develop an SVM-based classification algorithm for predicting malicious or benign domains. Our model makes the progress towards adapting to the changing and evolving strategies of malicious domains. The experimental results have shown that our proposed algorithm achieves an area under the curve (AUC) of 0.94 based on k-fold cross-validation. To the best of our knowledge, this is the first effort to apply the combination of behavioral modeling and graph embedding for effectively and accurately detecting malicious domains.

Chengwei Peng,Xiaochun Yun,Yongzheng Zhang,Shuhao Li

DOI: https://doi.org/10.1007/978-3-030-01950-1_40

2018-01-01

Abstract:Domain names have been abused for illicit online activities for decades. A wealth of effort has been devoted to detect malicious domains in the past. However, these works primarily identify suspicious DNS behaviors (e.g., lookup patterns, resolution graphs) to distinguish legitimate domains from malicious ones. Whereas, these behaviors can only be observed after malicious activity is already underway, thus are often too late to prevent miscreants from reaping benefits of the attacks, delaying detection. In this paper, we propose MalHunter, a timely detection technique that determines a domain’s reputation via only a single DNS query. We base it on the insight that miscreants need to host malicious domains on IPs that they control, which makes different malicious domains are commonly hosted on the same IPs and creates intrinsic associations. To capture these inherent associations, we employ a deep neural network architecture based method, thus making it possible for detecting malicious domains via only a single DNS query. We evaluate MalHunter using real-world DNS traffic collected from three large ISP networks in China over two months. Compared to previous approaches, our method significantly reduces the time delay of detection from days or weeks to approximate ten microseconds while maintaining as high detection accuracy.

Nishant Shandilya -,Siddham Singh Rao -,V. Phanindra Varma -,Dr. V. Nivedita -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i03.19649

2024-05-17

International Journal For Multidisciplinary Research

Abstract:Since the lack of sufficient security mechanisms, domain system (DNS) has become the main operational infrastructure for cyber intruders to launch cyber-attacks. Therefore, how to discover and block the potential malicious domains and its corresponding IP addresses fast and accurately has become a hot research area as it is one of the most important method in preventing unknown cyber-attacks. In this paper, we proposed an approach to detect malicious domains by analyzing massive mobile web traffic data. We used multiple features to classify, including the textual features and the traffic statistics features of domains and presented three typical classifiers to compare the classifying effect of each. Spark framework is leveraged to speed up the calculation of a large-scale DNS traffic. The efficiency of our system makes us believe the approach can help a lot in the field of network security. The new features are harder to be tampered with and can help determine whether a domain is malicious from a more comprehensive perspective. We evaluate MalPortrait on the passive DNS traffic collected from real-world large ISP networks.

Senhao Wen,Zhiyuan Zhao,Hanbing Yan

DOI: https://doi.org/10.1145/3199478.3199500

2018-03-16

Abstract:We are increasingly relying on HTML(Hypertext Markup Language) web-pages, including online shopping, obtaining information and handling official business, whether on a mobile phone or on a computer. But the underground industry or deliberate attacker has also targeted us. They forges misleading URLs(UniformResourceLocators) and web-pages with various tricky skills which are difficult to identify even for the professionals, so as to steal money, manipulate our devices, monitor our lives. Currently, most of the malicious websites detecting technology is based on features of URLs or Web page elements, which make us feel upset, because it is difficult to extract all the features, and its hysteresis quality make it hard to meet the requirement of tracking the rapid changes of malicious web sites, especially the phishing websites. This paper design a thorough associated analysis model of web-pages using the technology of topic tracking, topic abnormal discovery, web-page visual similarity assessment, web-page structure analyzing, URL analyzing, Internet Resources analyzing and so on, to solve the problem of missing detecting malicious websites, especially with unknown features. The detecting model is able to discover the forged payment web-pages, fake web page which damage the reputation of the relevant organization, personal attack web-pages, tampered web page, web-page trojan, etc. In the meantime, it can track the topic of underground industry and sense the topic evolution. According to our experiments, it is effective and has high accuracy.

Daojing He,Jiayu Dai,Hongjie Gu,Shanshan Zhu,Sammy Chan,Jingyong Su,Mohsen Guizani

DOI: https://doi.org/10.1109/mnet.127.2200280

IF: 10.294

2022-01-01

IEEE Network

Abstract:With the recent increasing number of malicious cyber activities using domain names as attack vectors, malicious domains must be detected and blocked in order to combat cyber attackers. However, current studies of malicious domains detection are limited to Domain Name System (DNS) traffic features or character features, which ignore the associations of malware and malicious domains in the detection. In this paper, we propose a malicious domains detection approach based on domain relationship features extracted from real sandbox traffic. We construct heterogeneous graphs based on sandbox traffic and use the Relational Graph Convolutional Network (RGCN) to build detection models to extract inter-node relationship features. Experiments are conducted using data extracted from real sandbox traffic, and our approach achieves an accuracy of 87.11%. The experimental results demonstrate the effectiveness of using relationship features extracted from sandbox traffic for malicious domains detection.

Qing Wang,Cong Dong,Shijie Jian,Dan Du,Zhigang Lu,Yinhao Qi,Dongxu Han,Xiaobo Ma,Fei Wang,Yuling Liu

DOI: https://doi.org/10.1016/j.cose.2022.103059

2022-12-11

Abstract:Malicious domains are crucial vectors for attackers to conduct malicious activities. With the increasing numbers in domain-based attack activities and the enhancement of attacker evasion methods, the detection of malicious domains has become critical and increasingly difficult. Statistical feature-based and graph structure-based detection methods are mainstream technical approaches. However, highly hidden domains can escape feature detection, and the detection range of graph structure-based methods is limited. Based on these, we propose a malicious detection method called HANDOM. HANDOM combines statistical features and graph structural information to neutralize their limitations, and uses the Heterogeneous Attention Network (HAN) model to jointly handle both information to achieve high-performance malicious domain classification. We conduct experimental evaluations on real-world datasets and compare HANDOM with machine learning methods and other malicious detection methods. The results present that HANDOM has superior and robust performance, and can identify highly hidden domains.

computer science, information systems

Yang ZHANG,Tingwen LIU,Hongzhou SHA,Jinqiao SHI

DOI: https://doi.org/10.11772/j.issn.1001-9081.2016.04.0941

2016-01-01

Journal of Computer Applications

Abstract:Domain Name System (DNS) provides domain name resolution service, ie, converting domain names to IP addresses. Malicious domain detection is mainly for discovering illegal activities and ensuring the normal operation of the domain name servers. Prior work on malicious domain name detection was summarized, and a new machine learning based malicious domain detection algorithm for exploiting multiple-dimensional features was further proposed. With respect to domain name lexical features, more fine-grained features were extracted, such as the conversion frequency of the numbers and letters and the maximum length of continuous letters. As for the network attribute features, more attentions were paid to the name servers, such as the quantity, and the degree of dispersion. The experimental results show that the accuracy, recall rate, F1 value of the proposed method reaches 99. 8%, which means a better performance on malicious domain name detection.

Futai Zou,Linsen Li,Yue Wu,Jianhua Li,Siyu Zhang,Kaida Jiang

DOI: https://doi.org/10.1142/S0218194018400016

IF: 1.007

2018-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Domain-Flux malware is hard to detect because of the variable C&C (Command and Control) domains which were randomly generated by the technique of domain generation algorithm (DGA). In this paper, we propose a Domain-Flux malware detection approach based on DNS failure traffic. The approach fully leverages the behavior of DNS failure traffic to recognize nine features, and then mines the DGA-generated domains by a clustering algorithm and determinable rules. Theoretical analysis and experimental results verify its efficiency with both test dataset and real-world dataset. On the test dataset, our approach can achieve a true positive rate of 99.82% at false positive rate of 0.39%. On the real-world dataset, the approach can also achieve a relatively high precision of 98.3% and find out 197,026 DGA domains by analyzing DNS traffic in campus network for seven days. We found 1213 hosts of Domain-Flux malware existing on campus network, including the known Conficker, Fosniw and several new Domain-Flux malwares that have never been reported before. We classified 197,026 DGA domains and gave the representative generated patterns for a better understanding of the Domain-Flux mechanism.

Xingguo Li,Junfeng Wang

DOI: https://doi.org/10.3233/jifs-189823

2021-01-01

Abstract:With the rapid development of the Internet, threats from the network security are emerging one after another. Driven by economic interests, attackers use malicious domain names to promote the development of botnets and phishing sites, which leads to serious information leakage of victims and devices, the proliferation of DDoS attacks and the rapid spread of viruses. Based on the above background, the purpose of this paper is to study the network detection of malicious domain name based on the adversary model. Firstly, this paper studies the generation mechanism of DGA domain name based on PCFG model, and studies the characteristics of the domain name generated by such DGA. The research shows that the domain name generated by PCFG model is usually based on the legal domain name, so the character statistical characteristics of the domain name are similar to the legal domain name. Moreover, the same PCFG model can often generate multiple types of domain names, so it is difficult to extract appropriate features manually. The experimental results show that the accuracy, recall and accuracy of the performance parameters of the classifier are over 95%. By using the open domain name data set, comparing the linear calculation edit distance method and the detection effect under different thresholds, it is proved that the proposed method can improve the detection speed of misplanted domain names under the condition of similar accuracy.

Futai Zou,Siyu Zhang,Linsen Li,Li Pan,Jianhua Li

DOI: https://doi.org/10.1177/1550147717720791

IF: 1.938

2017-01-01

International Journal of Distributed Sensor Networks

Abstract:In this article, we analyze the behavioral characteristics of domain name service queries produced by programs and then design an algorithm to detect malware with expired command-and-control domains based on the key feature of domain name service traffic, that is, repeatedly querying domain with a fixed interval. In total, 3027 malware command-and-control domains in the network traffic of Shanghai Jiao Tong University, affecting 249 hosts, were successfully detected, with a high precision of 92.0%. This algorithm can find those malware with expired command-and-control domains that are usually ignored by current research and would have important value for eliminating network security risks and improving network security environment.

Zhongyi Hu,Raymond Chiong,Ilug Pranata,Willy Susilo,Yukun Bao

DOI: https://doi.org/10.1109/cec.2016.7748347

2016-01-01

Abstract:Malicious web domains represent a big threat to web users' privacy and security. With so much freely available data on the Internet about web domains' popularity and performance, this study investigated the performance of well-known machine learning techniques used in conjunction with this type of online data to identify malicious web domains. Two datasets consisting of malware and phishing domains were collected to build and evaluate the machine learning classifiers. Five single classifiers and four ensemble classifiers were applied to distinguish malicious domains from benign ones. In addition, a binary particle swarm optimisation (BPSO) based feature selection method was used to improve the performance of single classifiers. Experimental results show that, based on the web domains' popularity and performance data features, the examined machine learning techniques can accurately identify malicious domains in different ways. Furthermore, the BPSO-based feature selection procedure is shown to be an effective way to improve the performance of classifiers.

Chengwei Peng,Xiaochun Yun,Yongzheng Zhang,Shuhao Li,Jun Xiao

DOI: https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.241

2017-01-01

Abstract:Malicious domains play a vital component in various cyber crimes. Most of the prior works depend on DNS A (address) records to detect the malicious domains, which are directly resolved to IP addresses. In this paper, we propose a malicious domain detection method focusing on the domains that are not resolved to IP addresses directly but only appear in DNS CNAME (canonical name) records. This kind of domains occupy 18.39% of the total domains in our 1530-days-long DNS traffic dataset collected from 217 DNS servers. In addition, the real-world dataset shows that domains connected with malicious ones through DNS CNAME records tend to be malicious too. Based on this observation, our proposal can identify the illegal domains by computing their maliciousness probabilities. The experiments demonstrate the high detection performance of our solution. It achieves the accuracy, on average, over 97.25% true positive rate with less than 0.027% false positive rate. Moreover, the proposal performs near real time detections. Our work can help network attack defenders to build a more robust domain monitoring system.

Yanning Zhang

2013-01-01

Computer Science

Abstract:At present,many botnets adopt Domain Flux techniques to avoid the block of domain blacklists.A new technique was proposed to detect malicious domain by analyzing group-behavior of compromised hosts on DNS queries.The method clusters new domains and Non-Existent domains queried by hosts in each epoch,groups these hosts by new domain names,and identifies that if the hosts within the same set have group activities when querying Non-Existent domains,to detect compromised hosts and IP addresses of CC servers.The monitoring results for an ISP DNS show that compromised hosts and IP addresses of CC servers are detected accurately.

Yanan Cheng,Tingting Chai,Zhaoxin Zhang,Keyu Lu,Yuejin Du

DOI: https://doi.org/10.1093/comjnl/bxab062

2021-01-01

The Computer Journal

Abstract:Millions of new domain names are registered every day, but a large proportion of them are malicious and usually discovered and blacklisted after the crime has been committed. In order to improve the security of domain name registration, this paper proposes a lightweight detection method based on the AdaBoost to identify malicious domain names, which focuses on proactively detecting malicious domain names by exploring the abnormal WHOIS records. The domain name registries and registrars can adopt the proposed method as the first layer of defense to identify malicious domains on the domain registration stage. Extensive experiments on a large-scale database demonstrate that the proposed approach achieves satisfactory results on various malicious domain names.

Yang Chen,Shuai Zhang,Jing Liu,Bo Li

DOI: https://doi.org/10.1109/smartcloud.2018.00039

2018-01-01

Abstract:Domain generation algorithms, called DGAs, are used to generate a lot of pseudo-random domain names. The malware can connect to a command & control(C2) server through these domains, which will cause large threats to network security. Most of previous researches are based on large sets of domains or manual feature extractions. To tackle this issue, current studies pay more attention to deep learning, such as LSTM. However, it is difficult to learn reasonable expression when the domain is long. In this paper, we propose a LSTM model incorporating with attention mechanism, in which attention will focus on more important substrings in domains and improve the expression of domains. The experimental results in real-life datasets demonstrate our model has a priority in both false alarm rate decreased to 1.29% and false negative rate reduced to 0.76%. Furthermore, our model also has a better performance in multilabel detection.

Guolin Tan,Peng Zhang,Qingyun Liu,Xinran Liu,Chunge Zhu,Fenghu Dou

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00107

2018-01-01

Abstract:Hackers can implant malwares (e.g. Trojans, Worms, etc.) in the web pages to steal user information and acquire money illegally. In fact, it is noted that close to one-third of all websites are potentially malicious in nature. Therefore, It makes sense to quickly detect malicious URLs on the Internet. Different from most of previous methods, in this paper, we propose a method for online malicious URL detection based on adaptive learning. By collecting the network traffic from backbone networks, we train machine learning models to detect malicious URLs. But there is a serious problem in dynamically changing environments where the statistical properties of target variable change over time, which is known as concept drift. To address this problem, we apply a nonparametric test to correctly detect concept drifts in adaptive learning. Extensive experiments with different types of concept drifts are performed to demonstrate the feasibility of our proposed method on both artificial and real datasets. Our empirical study shows that this approach has good performance in detecting malicious URLs and concept drifts.

WANG Tao,YU Shun-zheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.019

2011-01-01

Computer Science

Abstract:Malicious Web pages impose increasing threats on Web security in recent years.Currently,there are mainly two client-side protection approaches including anti-virus software packages and blacklists of malicious sites.Anti-virus techniques commonly use signature-based approaches which might not be able to efficiently identify malicious HTML codes with encryption and obfuscation.Furthermore,blacklisting techniques are difficult to keep up-to-date.This paper presented a novel classification method for real-time detecting malicious Web pages which is independent with the contents of Web pages.Our approach characterizes malicious Web pages using HTTP session information.With representative statistical features and decision tree algorithm in machine learning,we built an effective classification model for online real-time detecting malicious Web pages.Experiment results demonstrate that we are able to successfully detect 89.7% of the malicious Web pages with a low false positive rate of 0.3%.

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.