Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query

Peng Chengwei; Yun Xiaochun; Zhang Yongzheng; Li Shuhao

doi:10.7544/issn1000-1239.2019.20180481

Journal of Computer Research and Development > 2019 > 56(6): 1263-1274. > DOI: 10.7544/issn1000-1239.2019.20180481 CSTR: 32373.14.issn1000-1239.2019.20180481

Peng Chengwei, Yun Xiaochun, Zhang Yongzheng, Li Shuhao. Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query[J]. Journal of Computer Research and Development, 2019, 56(6): 1263-1274. DOI: 10.7544/issn1000-1239.2019.20180481

Citation:

PDF (1473 KB)

Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query

¹(Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190)
²(University of Chinese Academy of Sciences, Beijing 100049)
³(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093)

Funds: This work was supported by the National Key Research and Development Program of China (2016YFB0801502) and the National Natural Science Foundation of China (U1736218).

More Information

Published Date: May 31, 2019

Graphical Abstract

Abstract

Abstract

Malicious domains play a vital role in illicit online activities. Effectively detecting the malicious domains can significantly decrease the damage of evil attacks. In this paper, we propose CoDetector, a novel technique to detect malicious domains based on the co-occurrence relationships of domains in DNS (domain name system) queries. We observe that DNS queries are not isolated, whereas co-occur with each other. We base it design on the intuition that domains that tend to co-occur in DNS traffic are strongly associated and are likely to be in the same property (i.e., malicious or benign). Therefore, we first perform coarse-grained clustering of DNS traffic based on the chronological order of DNS queries. The domains co-occurring with each other will be clustered. Then, we design a mapping function that automatically projects every domain into a low-dimensional feature vector while maintaining their co-occurrence relationships. Domains that co-occur with each others are mapped to similar vectors while domains that not co-occur are mapped to distant vectors. Finally, based on the learned feature representations, we train a classifier over a labeled dataset and further apply it to detect unknown malicious domains. We evaluate CoDetector using real-world DNS traffic collected from an enterprise network over two months. The experimental results show that CoDetector can effectively detect malicious domains (91.64% precision and 96.04% recall).
- DNS queries,
- co-occurrence,
- malicious domains,
- DNS cut,
- tensor representation,
- domain classification

FullText(HTML)

References (0)

[1]	Qian Zhongsheng, Huang Heng, Zhu Hui, Liu Jinping. Multi-Perspective Graph Contrastive Learning Recommendation Method with Layer Attention Mechanism[J]. Journal of Computer Research and Development, 2025, 62(1): 160-178. DOI: 10.7544/issn1000-1239.202330804
[2]	Song Chuanming, Min Xin, Xie Weidong, Yin Baocai, Wang Xianghai. Elastic Motion Estimation Algorithm Using Two-Bit-Depth Pixels[J]. Journal of Computer Research and Development, 2019, 56(11): 2469-2484. DOI: 10.7544/issn1000-1239.2019.20180699
[3]	Wu Yihan, Huang Gang, Zhang Ying, Xiong Yingfei. A Model-Based Fault Tolerance Mechanism Development Approach for Cloud Computing[J]. Journal of Computer Research and Development, 2016, 53(1): 138-154. DOI: 10.7544/issn1000-1239.2016.20150608
[4]	Zhu Xia, Song Aibo, Dong Fang, Luo Junzhou. A Collaborative Filtering Recommendation Mechanism for Cloud Computing[J]. Journal of Computer Research and Development, 2014, 51(10): 2255-2269. DOI: 10.7544/issn1000-1239.2014.20130056
[5]	Lin Hui, Ma Jianfeng, Xu Li. A Secure Routing Protocol for MWNs Based on Cross-Layer Dynamic Reputation Mechanism[J]. Journal of Computer Research and Development, 2014, 51(7): 1486-1496.
[6]	Lü Xiaobo, Guo Yao, and Chen Xiangqun. A Splitting-Based Cloud Storage Mechanism for Digital Images[J]. Journal of Computer Research and Development, 2014, 51(5): 1129-1135.
[7]	Yu Leilei, Chen Dongyan, Liu Yuemei, Huang Xu. Centralized-Calculating-Based 2-Disjoint Multipath Routing Algorithm for Wireless Sensor Networks[J]. Journal of Computer Research and Development, 2013, 50(3): 517-523.
[8]	Gao Jianmin, Lu Huimei, and Cao Yuanda. Multi-Source Interactive Application Layer Multicast Routing Protocol[J]. Journal of Computer Research and Development, 2011, 48(5): 778-785.
[9]	Hu Ning, Zou Peng, and Zhu Peidong. A Cooperative Mechanism for Inter-Domain Routing Management[J]. Journal of Computer Research and Development, 2009, 46(8): 1251-1259.
[10]	Shen Qingni, Qing Sihan, and Li Liping. Design and Implementation of a Multi-Layered Privilege Control Mechanism[J]. Journal of Computer Research and Development, 2006, 43(3): 423-428.