Paper Info
Title
A Domain is only as Good as its Buddies: Detecting Stealthy Malicious Domains via Graph Inference.
Abstract
Inference based techniques are one of the major approaches to analyze DNS data and detect malicious domains. The key idea of inference techniques is to first define associations between domains based on features extracted from DNS data. Then, an inference algorithm is deployed to infer potential malicious domains based on their direct/indirect associations with known malicious ones. The way associations are defined is key to the effectiveness of an inference technique. It is desirable to be both accurate (i.e., avoid falsely associating domains with no meaningful connections) and with good coverage (i.e., identify all associations between domains with meaningful connections). Due to the limited scope of information provided by DNS data, it becomes a challenge to design an association scheme that achieves both high accuracy and good coverage. In this paper, we propose a new approach to identify domains controlled by the same entity. Our key idea is an in-depth analysis of active DNS data to accurately separate public IPs from dedicated ones, which enables us to build high-quality associations between domains. Our scheme avoids the pitfall of naive approaches that rely on weak "co-IP" relationship of domains (i.e., two domains are resolved to the same IP) that results in low detection accuracy, and, meanwhile, identifies many meaningful connections between domains that are discarded by existing state-of-the-art approaches. Our experimental results show that the proposed approach not only significantly improves the domain coverage compared to existing approaches but also achieves better detection accuracy. Existing path-based inference algorithms are specifically designed for DNS data analysis. They are effective but computationally expensive. To further demonstrate the strength of our domain association scheme as well as improve the inference efficiency, we construct a new domain-IP graph that can work well with the generic belief propagation algorithm. Through comprehensive experiments, we show that this approach offers significant efficiency and scalability improvement with only a minor impact to detection accuracy, which suggests that such a combination could offer a good tradeoff for malicious domain detection in practice.
Year
DOI
Venue
2018
10.1145/3176258.3176329
CODASPY
Keywords
Field
DocType
Malicious Domains, Graph Inference, DNS Data, Domain Association, Belief Propagation
Data mining,Graph,Association scheme,Computer security,Inference,Computer science,Scalability,Belief propagation
Conference
ISBN
Citations 
PageRank 
978-1-4503-5632-9
2
0.37
References 
Authors
20
4
Name
Order
Citations
PageRank
Issa Khalil156538.01
Bei Guan2150.98
Mohamed Nabeel317110.98
Ting Yu4755.33