Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query

Peng Chengwei; Yun Xiaochun; Zhang Yongzheng; Li Shuhao

doi:10.7544/issn1000-1239.2019.20180481

Journal of Computer Research and Development > 2019 > 56(6): 1263-1274. > DOI: 10.7544/issn1000-1239.2019.20180481 CSTR: 32373.14.issn1000-1239.2019.20180481

Peng Chengwei, Yun Xiaochun, Zhang Yongzheng, Li Shuhao. Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query[J]. Journal of Computer Research and Development, 2019, 56(6): 1263-1274. DOI: 10.7544/issn1000-1239.2019.20180481

Citation:

PDF (1473 KB)

Detecting Malicious Domains Using Co-Occurrence Relation Between DNS Query

¹(Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190)
²(University of Chinese Academy of Sciences, Beijing 100049)
³(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093)

Funds: This work was supported by the National Key Research and Development Program of China (2016YFB0801502) and the National Natural Science Foundation of China (U1736218).

More Information

Published Date: May 31, 2019

Graphical Abstract

Abstract

Abstract

Malicious domains play a vital role in illicit online activities. Effectively detecting the malicious domains can significantly decrease the damage of evil attacks. In this paper, we propose CoDetector, a novel technique to detect malicious domains based on the co-occurrence relationships of domains in DNS (domain name system) queries. We observe that DNS queries are not isolated, whereas co-occur with each other. We base it design on the intuition that domains that tend to co-occur in DNS traffic are strongly associated and are likely to be in the same property (i.e., malicious or benign). Therefore, we first perform coarse-grained clustering of DNS traffic based on the chronological order of DNS queries. The domains co-occurring with each other will be clustered. Then, we design a mapping function that automatically projects every domain into a low-dimensional feature vector while maintaining their co-occurrence relationships. Domains that co-occur with each others are mapped to similar vectors while domains that not co-occur are mapped to distant vectors. Finally, based on the learned feature representations, we train a classifier over a labeled dataset and further apply it to detect unknown malicious domains. We evaluate CoDetector using real-world DNS traffic collected from an enterprise network over two months. The experimental results show that CoDetector can effectively detect malicious domains (91.64% precision and 96.04% recall).
- DNS queries,
- co-occurrence,
- malicious domains,
- DNS cut,
- tensor representation,
- domain classification

FullText(HTML)

References (0)

[1]	Wang Yuwei, Liu Min, Ma Cheng, Li Pengfei. High Performance Load Balancing Mechanism for Network Function Virtualization[J]. Journal of Computer Research and Development, 2018, 55(4): 689-703. DOI: 10.7544/issn1000-1239.2018.20170923
[2]	Chen Qi, Chen Zuoning, Jiang Jinhu. MDDS: A Method to Improve the Metadata Performance of Parallel File System for HPC[J]. Journal of Computer Research and Development, 2014, 51(8): 1663-1670. DOI: 10.7544/issn1000-1239.2014.20121094
[3]	Wang Peng, Huang Yan, Li Kun, Guo Youming. Load Balancing Degree First Algorithm on Phase Space for Cloud Computing Cluster[J]. Journal of Computer Research and Development, 2014, 51(5): 1095-1107.
[4]	Shen Zhijun, Zeng Huashen. A Load Balanced Switch Architecture Based on Implicit Flow Splitter[J]. Journal of Computer Research and Development, 2012, 49(6): 1220-1227.
[5]	Liu Xinhua, Li Fangmin, Kuang Hailan, Fang Yilin. An Distributed and Directed Clustering Algorithm Based on Load Balance for Wireless Sensor Network[J]. Journal of Computer Research and Development, 2009, 46(12): 2044-2052.
[6]	Liu Ying, Wang Qirong, Sun Ninghui. Study of Loading Strategy in Shared-Nothing Event Stream Parallel Database Systems[J]. Journal of Computer Research and Development, 2009, 46(1): 159-166.
[7]	Wang Xianghui, Zhang Guoyin, and Xie Xiaoqin. A Load Balance Clustering Algorithm for Multilevel Energy Heterogeneous Wireless Sensor Networks[J]. Journal of Computer Research and Development, 2008, 45(3): 392-399.
[8]	Li Zhenyu, Xie Gaogang. A Load Balancing Algorithm for DHT-Based P2P Systems[J]. Journal of Computer Research and Development, 2006, 43(9): 1579-1585.
[9]	Tian Junfeng, Liu Yuling, and Du Ruizhong. Research of a Load Balancing Model Based on Mobile Agent[J]. Journal of Computer Research and Development, 2006, 43(9): 1571-1578.
[10]	Zhang Xiangquan, Guo Wei. A Bidirectional Path Re-Selection Based Load-Balanced Routing Protocol for Ad-Hoc Networks[J]. Journal of Computer Research and Development, 2006, 43(2): 218-223.