Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query

Peng Chengwei; Yun Xiaochun; Zhang Yongzheng; Li Shuhao

doi:10.7544/issn1000-1239.2019.20180481

Journal of Computer Research and Development > 2019 > 56(6): 1263-1274. > DOI: 10.7544/issn1000-1239.2019.20180481 CSTR: 32373.14.issn1000-1239.2019.20180481

Peng Chengwei, Yun Xiaochun, Zhang Yongzheng, Li Shuhao. Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query[J]. Journal of Computer Research and Development, 2019, 56(6): 1263-1274. DOI: 10.7544/issn1000-1239.2019.20180481

Citation:

PDF (1473 KB)

Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query

¹(Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190)
²(University of Chinese Academy of Sciences, Beijing 100049)
³(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093)

Funds: This work was supported by the National Key Research and Development Program of China (2016YFB0801502) and the National Natural Science Foundation of China (U1736218).

More Information

Published Date: May 31, 2019

Graphical Abstract

Abstract

Abstract

Malicious domains play a vital role in illicit online activities. Effectively detecting the malicious domains can significantly decrease the damage of evil attacks. In this paper, we propose CoDetector, a novel technique to detect malicious domains based on the co-occurrence relationships of domains in DNS (domain name system) queries. We observe that DNS queries are not isolated, whereas co-occur with each other. We base it design on the intuition that domains that tend to co-occur in DNS traffic are strongly associated and are likely to be in the same property (i.e., malicious or benign). Therefore, we first perform coarse-grained clustering of DNS traffic based on the chronological order of DNS queries. The domains co-occurring with each other will be clustered. Then, we design a mapping function that automatically projects every domain into a low-dimensional feature vector while maintaining their co-occurrence relationships. Domains that co-occur with each others are mapped to similar vectors while domains that not co-occur are mapped to distant vectors. Finally, based on the learned feature representations, we train a classifier over a labeled dataset and further apply it to detect unknown malicious domains. We evaluate CoDetector using real-world DNS traffic collected from an enterprise network over two months. The experimental results show that CoDetector can effectively detect malicious domains (91.64% precision and 96.04% recall).
- DNS queries,
- co-occurrence,
- malicious domains,
- DNS cut,
- tensor representation,
- domain classification

FullText(HTML)

References (0)

[1]	Feng Yuhong, Wu Kunhan, Huang Zhihong, Feng Yangzhou, Chen Huanhuan, Bai Jiancong, Ming Zhong. A Set Similarity Self-Join Algorithm with FP-tree and MapReduce[J]. Journal of Computer Research and Development, 2023, 60(12): 2890-2906. DOI: 10.7544/issn1000-1239.202111239
[2]	Xu Yini, Ouyang Dantong, Liu Meng, Zhang Liming, Zhang Yonggang. Algorithm of Computing Minimal Conflict Sets Based on the Structural Feature of Fault Output[J]. Journal of Computer Research and Development, 2018, 55(11): 2386-2394. DOI: 10.7544/issn1000-1239.2018.20170381
[3]	Wang Rongquan, Ouyang Dantong, Wang Yiyuan, Liu Siguang, Zhang Liming. Solving Minimal Hitting Sets Method with SAT Based on DOEC Minimization[J]. Journal of Computer Research and Development, 2018, 55(6): 1273-1281. DOI: 10.7544/issn1000-1239.2018.20160809
[4]	Ouyang Dantong, Zhi Huayun, Liu Bowen, Zhang Liming, Zhang Yonggang. A Method of Computing Minimal Diagnoses Based on Pseudo-Failure-Degree to Create New Enumeration Tree[J]. Journal of Computer Research and Development, 2018, 55(4): 782-790. DOI: 10.7544/issn1000-1239.2018.20170016
[5]	Liu Siguang, Ouyang Dantong, Wang Yiyuan, Jia Fengyu, Zhang Liming. Algorithm of Computing Minimal Hitting Set Based on the Structural Feature of SE-Tree[J]. Journal of Computer Research and Development, 2016, 53(11): 2556-2566. DOI: 10.7544/issn1000-1239.2016.20150396
[6]	Ouyang Dantong, Jia Fengyu, Liu Siguang, Zhang Liming. An Algorithm Based on Extension Rule For Solving #SAT Using Complementary Degree[J]. Journal of Computer Research and Development, 2016, 53(7): 1596-1604. DOI: 10.7544/issn1000-1239.2016.20150032
[7]	Li Shaohua, Feng Qilong, Wang Jianxin, and Chen Jianer. Kernelization for Weighted 3-Set Packing Problem[J]. Journal of Computer Research and Development, 2012, 49(8): 17811-786.
[8]	Hong Yi, Wang Zhaoqi, Zhu Dengming, Qiu Xianjie. Generation of Fire Animation Based on Level-Set[J]. Journal of Computer Research and Development, 2010, 47(11): 1849-1856.
[9]	Ren Jinping and Lü Shuwang. Enumerations and Counting of Orthomorphic Permutations[J]. Journal of Computer Research and Development, 2006, 43(6): 1071-1075.
[10]	Yang Jinji, Su Kaile. Improvement of Local Research in SAT Problem[J]. Journal of Computer Research and Development, 2005, 42(1): 60-65.