MalHunter: Performing a Timely Detection on Malicious Domains via a Single DNS Query
Pages 685 - 695
Abstract
Domain names have been abused for illicit online activities for decades. A wealth of effort has been devoted to detect malicious domains in the past. However, these works primarily identify suspicious DNS behaviors (e.g., lookup patterns, resolution graphs) to distinguish legitimate domains from malicious ones. Whereas, these behaviors can only be observed after malicious activity is already underway, thus are often too late to prevent miscreants from reaping benefits of the attacks, delaying detection. In this paper, we propose MalHunter, a timely detection technique that determines a domain’s reputation via only a single DNS query. We base it on the insight that miscreants need to host malicious domains on IPs that they control, which makes different malicious domains are commonly hosted on the same IPs and creates intrinsic associations. To capture these inherent associations, we employ a deep neural network architecture based method, thus making it possible for detecting malicious domains via only a single DNS query. We evaluate MalHunter using real-world DNS traffic collected from three large ISP networks in China over two months. Compared to previous approaches, our method significantly reduces the time delay of detection from days or weeks to approximate ten microseconds while maintaining as high detection accuracy.
References
[1]
CNCERT/CC. https://www.cert.org.cn (2018)
[2]
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX security symposium, pp. 273–290 (2010)
[3]
Bilge L, Sen S, Balzarotti D, Kirda E, and Kruegel C Exposure: a passive DNS analysis service to detect and report malicious domains ACM Trans. Inf. Syst. Secur. (TISSEC) 2014 16 4 14
[4]
Goldberg, Y., Levy, O.: word2vec explained: deriving Mikolov et al’.s negative-sampling word-embedding method. arXiv preprint arXiv:1402.3722 (2014)
[5]
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1568–1579. ACM (2016)
[6]
Khalil, I., Yu, T., Guan, B.: Discovering malicious domains through passive DNS data graph analysis. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 663–674. ACM (2016)
[7]
Kiefer J and Wolfowitz J Stochastic estimation of the maximum of a regression function Ann. Math. Stat. 1952 23 462-466
[8]
Manadhata PK, Yadav S, Rao P, and Horne W Kutyłowski M and Vaidya J Detecting malicious domains via graph inference Computer Security - ESORICS 2014 2014 Cham Springer 1-18
[9]
Peng, C., Yun, X., Zhang, Y., Li, S., Xiao, J.: Discovering malicious domains through alias-canonical graph. In: Trustcom/BigDataSE/ICESS, 2017 IEEE, pp. 225–232. IEEE (2017)
[10]
Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: USENIX Security Symposium, pp. 263–278 (2016)
[11]
Porras, P.A., Saïdi, H., Yegneswaran, V.: A foray into Conficker’s logic and rendezvous points. In: LEET (2009)
[12]
Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 403–414. IEEE (2015)
[13]
Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security Symposium, pp. 191–206 (2014)
Recommendations
Monitoring the initial DNS behavior of malicious domains
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAttackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS ...
A survey of botnet detection based on DNS
Botnet is a thorny and a grave problem of today's Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth ...
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and ProgrammingBonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Oct 2018
775 pages
ISBN:978-3-030-01949-5
DOI:10.1007/978-3-030-01950-1
© Springer Nature Switzerland AG 2018.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 29 October 2018
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 22 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in