Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Heyu Li,Zhangmeizhi Li,Shuyan Zhang,Xiao Pu

DOI: https://doi.org/10.1038/s41598-024-81189-1

IF: 4.6

2024-12-06

Scientific Reports

Abstract:With the widespread application of the Internet, network security issues have become increasingly prominent. As an important infrastructure of the Internet, the domain name server has been attacked in various forms. Traditional methods for detecting malicious domain servers are usually based on rules or feature engineering, requiring a large amount of manual participation and rule library updates. These methods cannot adapt to the constantly changing threat environment. In response to these issues, this study first improves the Transformer by adjusting its attention head and encoding method. Then, the model is combined with convolutional neural networks. Finally, a block-based ensemble classifier is used for classification detection. The relevant outcomes showed that the average accuracy score of the proposed method was as high as 95.8 points, the average detection time score was 96.8 points, the average feature extraction ability score of the model was 96.3 points, and the overall performance score was 97.6 points. This method has significant advantages over traditional methods in terms of accuracy and detection time, providing a new tool for detecting malicious domain servers.

multidisciplinary sciences

XiangDong Huang,Hao Li,Jiajia Liu,FengChun Liu,Jian Wang,BaoShan Xie,BaoPing Chen,Qi Zhang,Tao Xue

DOI: https://doi.org/10.1155/2022/9241670

IF: 3.12

2022-06-26

Computational Intelligence and Neuroscience

Abstract:With the rapid development of the Internet, malicious domain names pose more and more serious threats to many fields, such as network security and social security, and there have been many research results on malicious domain detection. This article proposes a malicious domain name detection model based on improved deep learning, which can combine the advantages of three different network models, convolutional neural network (CNN), temporal convolutional network (TCN), and long short-term memory network (LSTM) in malicious domain name detection, to obtain a better detection effect than that of the original single or two models. Experiments show that the effect of the improved deep learning model proposed in this article is better than that of the combined model of CNN and LSTM or the combined model of CNN and TCN, and the accuracy and regression rates reached 99.76% and 98.81%, respectively.

mathematical & computational biology,neurosciences

Renjie Liao,Shuo Wang

DOI: https://doi.org/10.1049/cmu2.12739

IF: 1.345

2024-03-07

IET Communications

Abstract:Malicious domains pose a severe threat to cybersecurity. As to improve the detection accuracy when the malicious domain variants increase, we proposed a novel malicious domain detection method named MDND‐SS‐PO that combines semi‐supervised learning and parameter optimization. The method extracts the statistical features of the IP address, TTL value, the NXDomain record, and the domain name query characteristics to discriminate Domain‐Flux and Fast‐Flux domain names simultaneously. And an improved DBSCAN based on the neighborhood division is applied semi‐supervised learning with less label efforts. Finally, Gaussian process regression is used to optimize parameter settings of machine learning algorithms. Experimental results show that the proposed method achieved a precise detection performance of 0.885 when the ratio of labeled data is 5%. Malicious domains provide malware with covert communication channels which poses a severe threat to cybersecurity. Despite the continuous progress in detecting malicious domains with various machine learning algorithms, maintaining up‐to‐date various samples with fine‐labeled data for training is difficult. To handle these issues and improve the detection accuracy, a novel malicious domain detection method named MDND‐SS‐PO is proposed that combines semi‐supervised learning and parameter optimization. The contributions of the study are as follows. First, the method extracts the statistical features of the IP address, TTL value, the NXDomain record, and the domain name query characteristics to discriminate Domain‐Flux and Fast‐Flux domain names simultaneously. Second, an improved DBSCAN based on the neighborhood division is designed to cluster labeled data and unlabeled data with low time consumption. Then, based on the clustering hypothesis, unlabeled data is tagged with pseudo‐label according to the cluster results, which aims to train a supervised classifier effectively. Finally, Gaussian process regression is used to optimize parameter settings of the algorithm. And the Silhouette index and F1 score are introduced to evaluate the optimization results. Experimental results show that the proposed method achieved a precise detection performance of 0.885 when the ratio of labeled data is 5%.

engineering, electrical & electronic

Yury Zhauniarovich,Issa Khalil,Ting Yu,Marc Dacier

DOI: https://doi.org/10.1145/3191329

2018-05-22

Abstract:Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this paper, we perform such an analysis. In order to achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

Cryptography and Security

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Xiaoqing Sun,Jiahai Yang,Zhiliang Wang,Heng Liu

DOI: https://doi.org/10.1109/noms47738.2020.9110462

2020-01-01

Abstract:As a fundamental component of the Internet, Domain Name System (DNS) is widely abused by attackers in various cybercrimes, making malicious domain detection an essential task in network defenses. However, some well-crafted attacks with tricky techniques can not only bypass blacklists but also make some machine learning-based detection systems infeasible. In this paper, we design HGDom, an accurate and robust malicious domain detection system based on a heterogeneous graph convolutional network method. First, we jointly analyze domain features as well as the complex relations among domains, clients, and IP addresses. To capture richer information, we introduce a Heterogeneous Information Network (HIN) to model the DNS scene. Then, we propose a novel representation method named MAGCN. With a meta-path-based attention mechanism, it can handle node features and the graph structure in HIN at the same time. To our best knowledge, this is the first work to apply GCN in cyber security analysis. Comprehensive experiments over DNS data from TUNET and CERNET2 are conducted to validate the effectiveness and superiority of our proposed methods. The comparison results show that HGDom outperforms state-of-the-art approaches with promising performance. Besides, the system is decided to be deployed in production to assist with network security management for CERNET2.

Qing Wang,Cong Dong,Shijie Jian,Dan Du,Zhigang Lu,Yinhao Qi,Dongxu Han,Xiaobo Ma,Fei Wang,Yuling Liu

DOI: https://doi.org/10.1016/j.cose.2022.103059

2022-12-11

Abstract:Malicious domains are crucial vectors for attackers to conduct malicious activities. With the increasing numbers in domain-based attack activities and the enhancement of attacker evasion methods, the detection of malicious domains has become critical and increasingly difficult. Statistical feature-based and graph structure-based detection methods are mainstream technical approaches. However, highly hidden domains can escape feature detection, and the detection range of graph structure-based methods is limited. Based on these, we propose a malicious detection method called HANDOM. HANDOM combines statistical features and graph structural information to neutralize their limitations, and uses the Heterogeneous Attention Network (HAN) model to jointly handle both information to achieve high-performance malicious domain classification. We conduct experimental evaluations on real-world datasets and compare HANDOM with machine learning methods and other malicious detection methods. The results present that HANDOM has superior and robust performance, and can identify highly hidden domains.

computer science, information systems

Xiaoqing Sun,Zhiliang Wang,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.1016/j.cose.2020.102057

IF: 5.105

2020-01-01

Computers & Security

Abstract:As an essential network service, the Domain Name System (DNS) is widely abused by attackers, making malicious domain detection a crucial task when combating cybercrimes. The increasing sophistication of attackers calls for new detection methods against novel threats and evasions. In this paper, we analyze the DNS scene and design an intelligent malicious domain detection system, named DeepDom. With joint consideration of both domain’s local features and their global associations, DeepDom is more accurate and is harder for attackers to evade. In DeepDom, we first represent the DNS scene as a Heterogeneous Information Network (HIN) with diverse entities like clients, domains, IP addresses, and accounts to capture richer information. Then, considering the heterogeneous and dynamic nature of DNS, we propose a novel Graph Convolutional Network (GCN) method named SHetGCN to inductively classify domain nodes in the HIN. By guiding the convolution operations with meta-path based short random walks, SHetGCN can jointly handle node features together with structural information and support inductive node embedding. We build a prototype of DeepDom and validate its effectiveness with comprehensive experiments over the DNS data collected from a real-world network, CERNET2. The comparison results demonstrate that our approaches outperform other state-of-the-art techniques.

Kai Lei,Qiuai Fu,Jiake Ni,Feiyang Wang,Min Yang,Kuai Xu

DOI: https://doi.org/10.1109/ICDCS.2019.00066

2019-01-01

Abstract:The last decade has witnessed the explosive growth of malicious Internet domains which serve as the fundamental infrastructure for establishing advanced persistent threat command and control communication channels or hosting phishing Web sites. Given the big data nature of Internet traffic data and the ability of algorithmically generating domains and acquiring and registering the domains in a near-automated fashion, detecting malicious domains in real-time is a daunting task for security analysts and network operators. In this paper, we introduce bipartite graphs to capture the interactions between end hosts and domains, identify associated IP addresses of domains, and characterize time-series patterns of DNS queries for domains, and explore one-mode projections of these bipartite graphs for modeling the behavioral, IP-structural, and temporal similarities between domains. We employ graph embedding technique to automatically learn dynamic and discriminative feature representations for over 10,000 labeled domains, and develop an SVM-based classification algorithm for predicting malicious or benign domains. Our model makes the progress towards adapting to the changing and evolving strategies of malicious domains. The experimental results have shown that our proposed algorithm achieves an area under the curve (AUC) of 0.94 based on k-fold cross-validation. To the best of our knowledge, this is the first effort to apply the combination of behavioral modeling and graph embedding for effectively and accurately detecting malicious domains.

QIN Huidong,YANG Jia,LI Xiaonan,MA Hao,LUO Ziyuan,GUO Qiang

DOI: https://doi.org/10.3724/sp.j.1249.2020.99036

2020-01-01

JOURNAL OF SHENZHEN UNIVERSITY SCIENCE AND ENGINEERING

Abstract:In this paper, we propose a local outlier factor (LOF) algorithm based on multi-dimensional timing characteristics for detecting abnormal source IPs of DNS. The algorithm is used to identify abnormal source IPs of the DNS traffic of a campus network. Based on the algorithm, we further introduce a multi-feature-based abnormal domain name detection method and efficiently improve the detection of DNS anomalies of the campus network.

Xi Luo,Yixin Li,Hongyuan Cheng,Lihua Yin

DOI: https://doi.org/10.3390/math12050640

IF: 2.4

2024-02-22

Mathematics

Abstract:Domain Name System (DNS) plays an infrastructure role in providing the directory service for mapping domains to IPs on the Internet. Considering the foundation and openness of DNS, it is not surprising that adversaries register massive domains to enable multiple malicious activities, such as spam, command and control (C&C), malware distribution, click fraud, etc. Therefore, detecting malicious domains is a significant topic in security research. Although a substantial quantity of research has been conducted, previous work has failed to fuse multiple relationship features to uncover the deep underlying relationships between domains, thus largely limiting their level of performance. In this paper, we proposed AGCN-Domain to detect malicious domains by combining various relations. The core concept behind our work is to analyze relations between domains according to their behaviors in multiple perspectives and fuse them intelligently. The AGCN-Domain model utilizes three relationships (client relation, resolution relation, and cname relation) to construct three relationship feature graphs to extract features and intelligently fuse the features extracted from the graphs through an attention mechanism. After the relationship features are extracted from the domain names, they are put into the trained classifier to be processed. Through our experiments, we have demonstrated the performance of our proposed AGCN-Domain model. With 10% initialized labels in the dataset, our AGCN-Domain model achieved an accuracy of 94.27% and the F1 score of 87.93%, significantly outperforming other methods in the comparative experiments.

mathematics

Li-feng REN,Zhao WANG,Xin LIU,Qing-shan LI,Zhong CHEN

DOI: https://doi.org/10.12783/dtcse/cst2017/12545

2017-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Malicious domain name (MDN) detection has seen greatly progress in recent years. In this paper, one covering MDN-Complete-Life-Cycle malicious domain name detection framework is proposed. The framework includes three detection models: DGAD-M (Domain Generation Algorithm Detection Model), DIPD-M (Domain IP Detection Model) and DHTD-M (Domain Host Detection Model), corresponding to the process of the malicious domain generation, malicious domain name resolution and the host requesting a domain. DGAD-M bases on the fact that the domains generated by DGA are always short of natural language features, it adopts Convolutional Neural Network. DIPD-M bases on the fact that the IP addresses of the malicious domains are more disperse and updated frequently. DHTD-M bases on the fact that the domains requested by infected hosts are frequently tend to be malicious. The results of DGAD-M and DIPD-M will be used by DHTD-M. The framework got the accuracy rate of 83.652% with the real network flow and found out 115 suspicious malicious domains.

Shaojie Chen,Bo Lang,Hongyu Liu,Duokun Li,Chuan Gao

DOI: https://doi.org/10.1016/j.cose.2020.102095

2021-05-01

Abstract:<p>DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the network environment. To detect DNS covert channels, researchers extract multiple features from different perspectives of DNS traffic. At present, many detection methods using machine learning are based on manual features, which usually include complex data preprocessing and feature extraction. Additionally, these methods seriously rely on expert knowledge, and some potential features are hard to discover. To address these problems, we propose a DNS covert channel detection method using the LSTM model, which does not rely on feature engineering. First, we use the FQDNs of DNS packets as the input and implement an end-to-end detection approach using LSTM. Then, we filter the detection results of the LSTM model with the grouped filtering method to further reduce the false positive rate. Using the packets from the Internet and the packets generated by running different DNS covert channel tools, we construct our datasets, in which generalization test datasets are included in addition to the FQDN and the DNS packet datasets for model training. Our method achieves an accuracy rate of 99.38% on the test dataset and a recall rate of 98.52% on the generalization test dataset, which are better than the state-of-the-art methods. This method is also tested in a real network environment and has detected multiple malicious DNS covert channel events.</p>

computer science, information systems

Luhui Yang,Guangjie Liu,Jinwei Wang,Huiwen Bai,Jiangtao Zhai,Yuewei Dai

DOI: https://doi.org/10.1016/j.jisa.2021.102933

IF: 4.96

2021-09-01

Journal of Information Security and Applications

Abstract:Detecting malicious domain names generated by domain generation algorithms is critical for defending the network against sophisticated attacks. In the past decade, deep-learning-based detection schemes have proven to be the most effective. However, each of these schemes requires sufficient computation time, which makes it difficult for real-time online detection. In this paper, we propose a real-time malicious domain name detection system which is called fast3DS. The proposed system contains a lightweight full-convolutional detection model, as well as a detection pipeline that contains multiple efficient schemes for high-speed data acquisition, filtering, and inference. The proposed detection model uses a parallel depthwise convolutional architecture to replace the standard convolution layer, and a lightweight global average pooling connection architecture is proposed to replace the fully connected layer, which can effectively reduce the parameters and computation time. To compensate for the decrease in accuracy due to model lightweighting, a lightweight attention mechanism is proposed to improve the accuracy of model detection. The proposed detection pipeline employs some industry-leading network traffic processing architecture and deep learning inference acceleration architecture, which can fully utilize the CPU for processing and computing. The experimental results denote that the proposed detection scheme can achieve accuracy close to the state-of-the-art with significantly fewer parameters, and the system can substantially improve the processing capability compared to the conventional detection system.

computer science, information systems

Abdallah Moubayed,MohammadNoor Injadat,Abdallah Shami,Hanan Lutfiyya

DOI: https://doi.org/10.1109/GLOCOM.2018.8647679

2020-12-26

Abstract:Domain Name System (DNS) is a crucial component of current IP-based networks as it is the standard mechanism for name to IP resolution. However, due to its lack of data integrity and origin authentication processes, it is vulnerable to a variety of attacks. One such attack is Typosquatting. Detecting this attack is particularly important as it can be a threat to corporate secrets and can be used to steal information or commit fraud. In this paper, a machine learning-based approach is proposed to tackle the typosquatting vulnerability. To that end, exploratory data analytics is first used to better understand the trends observed in eight domain name-based extracted features. Furthermore, a majority voting-based ensemble learning classifier built using five classification algorithms is proposed that can detect suspicious domains with high accuracy. Moreover, the observed trends are validated by studying the same features in an unlabeled dataset using K-means clustering algorithm and through applying the developed ensemble learning classifier. Results show that legitimate domains have a smaller domain name length and fewer unique characters. Moreover, the developed ensemble learning classifier performs better in terms of accuracy, precision, and F-score. Furthermore, it is shown that similar trends are observed when clustering is used. However, the number of domains identified as potentially suspicious is high. Hence, the ensemble learning classifier is applied with results showing that the number of domains identified as potentially suspicious is reduced by almost a factor of five while still maintaining the same trends in terms of features' statistics.

Machine Learning,Networking and Internet Architecture

Yongqian Sun,Kunlin Jian,Liyue Cui,Guifei Jiang,Shenglin Zhang,Yuzhi Zhang,Dan Pei

DOI: https://doi.org/10.1016/j.jss.2022.111322

2022-01-01

Abstract:Detecting malicious non-existent domain names (NXDomains) in a real-time manner is vitally important to the security of large-scale dependable systems. Existing detection methods are trained based on the assumption that the NXDomains, which cannot be recognized by the domain generation algorithm (DGA) archive, are benign. However, new types of malicious NXDomains are continuously generated, and the DGA archive cannot cover all of them, making the NXDomains partially labeled. Additionally, extracting all the features for distinguishing malicious and benign NXDomains is computationally inefficient and inappropriate for online detection in large-scale dependable systems. This work proposes a framework, PUFS, to train an accurate malicious NXDomain detection model according to partial labels and conduct efficient online detection for large-scale dependable systems. PUFS adopts a novel, simple, yet effective three-step strategy to combine PU learning and feature selection. We conduct extensive experiments using real-world data collected from a top-tier global online bank. PUFS achieves 99.19% of F1-Score, and improves the feature extraction efficiency by 1153%, making it suitable for online detection scenarios.

Nishant Shandilya -,Siddham Singh Rao -,V. Phanindra Varma -,Dr. V. Nivedita -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i03.19649

2024-05-17

International Journal For Multidisciplinary Research

Abstract:Since the lack of sufficient security mechanisms, domain system (DNS) has become the main operational infrastructure for cyber intruders to launch cyber-attacks. Therefore, how to discover and block the potential malicious domains and its corresponding IP addresses fast and accurately has become a hot research area as it is one of the most important method in preventing unknown cyber-attacks. In this paper, we proposed an approach to detect malicious domains by analyzing massive mobile web traffic data. We used multiple features to classify, including the textual features and the traffic statistics features of domains and presented three typical classifiers to compare the classifying effect of each. Spark framework is leveraged to speed up the calculation of a large-scale DNS traffic. The efficiency of our system makes us believe the approach can help a lot in the field of network security. The new features are harder to be tampered with and can help determine whether a domain is malicious from a more comprehensive perspective. We evaluate MalPortrait on the passive DNS traffic collected from real-world large ISP networks.

Qasem Abu Al-Haija,Manar Alohaly,Ammar Odeh

DOI: https://doi.org/10.3390/s23073489

2023-03-27

Abstract:The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.