Issa Khalil
ABSTRACT
Malicious domains are key components to a variety of cyber attacks. Several recent techniques are proposed to identify malicious domains through analysis of DNS data. The general approach is to build classifiers based on DNS-related local domain features. One potential problem is that many local features, e.g., domain name patterns and temporal patterns, tend to be not robust. Attackers could easily alter these features to evade detection without affecting much their attack capabilities. In this paper, we take a complementary approach. Instead of focusing on local features, we propose to discover and analyze global associations among domains. The key challenges are (1) to build meaningful associations among domains; and (2) to use these associations to reason about the potential maliciousness of domains. For the first challenge, we take advantage of the modus operandi of attackers. To avoid detection, malicious domains exhibit dynamic behavior by, for example, frequently changing the malicious domain-IP resolutions and creating new domains. This makes it very likely for attackers to reuse resources. It is indeed commonly observed that over a period of time multiple malicious domains are hosted on the same IPs and multiple IPs host the same malicious domains, which creates intrinsic association among them. For the second challenge, we develop a graph-based inference technique over associated domains. Our approach is based on the intuition that a domain having strong associations with known malicious domains is likely to be malicious. Carefully established associations enable the discovery of a large set of new malicious domains using a very small set of previously known malicious ones. Our experiments over a public passive DNS database show that the proposed technique can achieve high true positive rates (over 95%) while maintaining low false positive rates (less than 0.5%). Further, even with a small set of known malicious domains (a couple of hundreds), our technique can discover a large set of potential malicious domains (in the scale of up to tens of thousands).
- M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In The 19th USENIX Security Symposium, Washington, 2010. Google Scholar
Digital Library
- M. Antonakakis, R. Perdisci, Y. Nadji, N. V. II, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In The 21st USENIX Security Symposium, 2012. Google ScholarDigital Library
- L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: finding malicious domains using passive DNS analysis. In The Network and Distributed System Security Symposium, 2011.Google Scholar
- M. Cova, C. Leita, O. Thonnard, A. D. Keromytis, and M. Dacier. An analysis of rogue AV campaigns. In 13th International Symposium Recent Advances in Intrusion Detection, 2010. Google ScholarDigital Library
- H. Crawford and J. Aycock. Kwyjibo: automatic domain name generation. Softw., Pract. Exper., 38(14):1561--1567, 2008. Google ScholarDigital Library
- M. Feily, A. Shahrestani, and S. Ramadass. A survey of botnet and botnet detection. In The Third International Conference on Emerging Security Information, Systems and Technologies, 2009. Google ScholarDigital Library
- P. K. Manadhata, S. Yadav, P. Rao, and W. Horne. Detecting malicious domains via graph inference. In The 19th European Symposium on Research in Computer Security, 2014.Google ScholarDigital Library
- B. Rahbarinia, R. Perdisci, and M. Antonakakis. Segugio: Efficient behavior-based tracking of new malware-control domains in large isp networks. In The 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2015. Google ScholarDigital Library
- P. Royal. Quantifying maliciousness in alexa top-ranked domains, Dec. 2012.Google Scholar
- S. Schiavoni, F. Maggi, L. Cavallaro, and S. Zanero. Phoenix: Dga-based botnet tracking and intelligence. In The 11th International Conference Detection of Intrusions and Malware, and Vulnerability Assessment, 2014.Google ScholarCross Ref
- R. Sherwood, S. Lee, and B. Bhattacharjee. Cooperative peer groups in NICE. Computer Networks, 50(4):523--544, 2006. Google ScholarDigital Library
- E. Stinson and J. C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In The 2nd USENIX Workshop on Offensive Technologies, 2008. Google ScholarDigital Library
- A. Tamersoy, K. A. Roundy, and D. H. Chau. Guilt by association: large scale malware detection by mining file-relation graphs. In The 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining,, 2014. Google ScholarDigital Library
- F. Weimer. Passive dns replication, Oct. 2007.Google Scholar
- J. Zhang, S. Saha, G. Gu, S. Lee, and M. Mellia. Systematic mining of associated server herds for malware campaign discovery. In The 35th IEEE International Conference on Distributed Computing Systems. IEEE, 2015.Google ScholarCross Ref
Index Terms
- Discovering Malicious Domains through Passive DNS Data Graph Analysis
Recommendations
Following Passive DNS Traces to Detect Stealthy Malicious Domains Via Graph Inference
Malicious domains, including phishing websites, spam servers, and command and control servers, are the reason for many of the cyber attacks nowadays. Thus, detecting them in a timely manner is important to not only identify cyber attacks but also take ...
Using Passive DNS to Detect Malicious Domain Name
ICVISP 2019: Proceedings of the 3rd International Conference on Vision, Image and Signal ProcessingWith the prosperity of the Internet, the number of malicious domain name is enormous, and the scope and harm of the threats they create are increasing. Using traditional reputation systems and reverse engineering methods to detect malicious domain name ...
Early Detection of Spam Domains with Passive DNS and SPF
Passive and Active MeasurementAbstractSpam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down ...
Comments