Abstract
Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group.
In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.
- Anubis. Retrieved from http://anubis.iseclab.org/. Service discontinued.Google Scholar
- Apache Giraph. Retrieved from http://giraph.apache.org/.Google Scholar
- Apache Hadoop. Retrieved from http://hadoop.apache.org/.Google Scholar
- DNSCrypt—Official Project Home Page. Retrieved from https://dnscrypt.org/.Google Scholar
- DomainHistory.net: Detailed domain name information and archives in one place. Retrieved from http://www.domainhistory.net/.Google Scholar
- DomainTools: Whois information. Retrieved from http://whois.domaintools.com/.Google Scholar
- Google Public DNS. Retrieved from https://developers.google.com/speed/public-dns/.Google Scholar
- Google Safe Browsing. Retrieved from https://developers.google.com/safe-browsing/.Google Scholar
- Malware Domain List. Retrieved from https://www.malwaredomainlist.com/.Google Scholar
- McAfee SiteAdvisor. Retrieved from http://www.siteadvisor.com/.Google Scholar
- Norton ConnectSafe. Retrieved from https://dns.norton.com/.Google Scholar
- OpenDNS Premium DNS. Retrieved from https://signup.opendns.com/premiumdns/.Google Scholar
- OpenPhish. Retrieved from https://openphish.com/.Google Scholar
- Shodan: The Search Engine for …Retrieved from https://www.shodan.io/.Google Scholar
- Spamhaus. Retrieved from https://www.spamhaus.org/.Google Scholar
- Team Cymru. Retrieved from http://www.team-cymru.org/.Google Scholar
- The Internet Corporation for Assigned Names and Numbers (ICANN). Retrieved from https://www.icann.org/.Google Scholar
- URLVoid: Website reputation checker tool. Retrieved from http://www.urlvoid.com/.Google Scholar
- Web of Trust (WOT)—Crowdsourced web safety. Retrieved from https://www.mywot.com/.Google Scholar
- Who.is: WHOIS search, domain name, website, and IP tools. Retrieved from https://who.is.Google Scholar
- Yahoo Webspam Database. Retrieved from http://barcelona.research.yahoo.net/webspam/datasets/uk2007/. Service discontinued.Google Scholar
- 2002. Vulnerability Note VU#457875: Various DNS service implementations generate multiple simultaneous queries for the same resource record. Retrieved from http://www.kb.cert.org/vuls/id/457875.Google Scholar
- 2008. Vulnerability Note VU#800113: Multiple DNS implementations vulnerable to cache poisoning. Retrieved from http://www.kb.cert.org/vuls/id/800113.Google Scholar
- Pieter Agten, Wouter Joosen, Frank Piessens, and Nick Nikiforakis. 2015. Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- Alexa. Alexa Top Sites. Retrieved from http://aws.amazon.com/alexa-top-sites/.Google Scholar
- Kamal Alieyan, Ammar Almomani, Ahmad Manasrah, and Mohammed M. Kadhum. 2017. A survey of botnet detection based on DNS. Neural Computing and Applications 28, 7 (2017), 1541--1558. Google ScholarDigital Library
- Hyrum S. Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially tuned domain generation and detection. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. 13--21. Google ScholarDigital Library
- Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the USENIX Security Symposium. 273--290. Google ScholarDigital Library
- Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, II, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium. 27--27. Google ScholarDigital Library
- Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the USENIX Security Symposium. 24--24. Google ScholarDigital Library
- Ionut Arghire. 2016. Sarvdap spambot checks IP blacklists. (Retrieved from http://www.securityweek.com/sarvdap-spambot-checks-ip-blacklists.Google Scholar
- Anirban Banerjee, Md Sazzadur Rahman, and Michalis Faloutsos. 2011. SUT: Quantifying and mitigating URL typosquatting. Comput. Netw. 55, 13 (2011), 3001--3014. Google ScholarDigital Library
- Steven M. Bellovin. 1995. Using the domain name system for system break-ins. In Proceedings of the Conference on USENIX UNIX Security Symposium. 18--18. Google ScholarDigital Library
- Andreas Berger and Wilfried N. Gansterer. 2013. Modeling DNS agility with DNSMap. In Proceedings of the IEEE Conference on Computer Communications Workshops. 387--392.Google Scholar
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Leyla Bilge, Sevil Sen, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2014. Exposure: A passive DNS analysis service to detect and report malicious domains. ACM Trans. Info. Syst. Secur. 16, 4 (apr 2014), 14:1--14:28. Google ScholarDigital Library
- N. Brownlee, K. C. Claffy, and E. Nemeth. 2001. DNS measurements at a root server. In Proceedings of the Global Telecommunications Conference, Vol. 3. 1672--1676.Google Scholar
- Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the International Conference on World Wide Web. 197--206. Google ScholarDigital Library
- Biz Carson. 2016. This guy bought “Google.com” from Google for one minute. Retrieved from http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9.Google Scholar
- Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. 2008. A day at the root of the internet. SIGCOMM Comput. Commun. Rev. 38, 5 (2008), 41--46. Google ScholarDigital Library
- Olivier Chapelle, Bernhard Schlkopf, and Alexander Zien. 2010. Semi-Supervised Learning (1st ed.). The MIT Press. Google ScholarDigital Library
- Nitesh V. Chawla. 2005. Data Mining for Imbalanced Datasets: An Overview. 853--867.Google Scholar
- Pern Hui Chia and Svein Johan Knapskog. 2012. Re-evaluating the wisdom of crowds in assessing web security. In Proceedings of the International Conference on Financial Cryptography and Data Security. 299--314. Google ScholarDigital Library
- Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Takeshi Yada, Tatsuya Mori, and Shigeki Goto. 2016. DomainProfiler: Discovering domain names abused in future. Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 491--502.Google ScholarCross Ref
- Hyunsang Choi and Heejo Lee. 2012. Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56, 1 (2012), 20--33. Google ScholarDigital Library
- Hyunsang Choi, Heejo Lee, and Hyogon Kim. 2009. BotGAD: Detecting botnets by capturing group activities in network traffic. In Proceedings of the International ICST Conference on Communication System Software and Middleware. 2:1--2:8. Google ScholarDigital Library
- Hyunsang Choi, Hanwoo Lee, Heejo Lee, and Hyogon Kim. 2007. Botnet detection by monitoring group activities in DNS traffic. In Proceedings of the IEEE International Conference on Computer and Information Technology. 715--720. Google ScholarDigital Library
- Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the International Conference on World Wide Web. 281--290. Google ScholarDigital Library
- L. Daigle. 2004. WHOIS Protocol Specification. RFC 3912. Internet engineering task force. Retrieved from https://tools.ietf.org/html/rfc3912.Google Scholar
- Ruchi Dhole and Shobha Lolge. 2016. A survey of botnet detection techniques and research challenges. Int. J. Innovat. Res. Comput. Commun. Eng. 4 (2016), 244--249. Issue 1.Google Scholar
- Christian J. Dietrich and Christian Rossow. 2009. Empirical research of IP blacklists. In Proceedings of the Information Security Solutions Europe Conference. 163--171.Google Scholar
- Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, and Norbert Pohlmann. 2011. On botnets that use DNS for command and control. In Proceedings of the European Conference on Computer Network Defense. 9--16. Google ScholarDigital Library
- Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A search engine backed by internet-wide scanning. In Proceedings of the ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Birhanu Eshete, Adolfo Villafiorita, and Komminist Weldemariam. 2013. BINSPECT: Holistic analysis and detection of malicious web pages. In Proceedings of the International ICST Conference on Security and Privacy in Communication Networks. 149--166.Google ScholarCross Ref
- Farsight Security, Inc. DNS Database. Retrieved from https://www.dnsdb.info/.Google Scholar
- Maryam Feily, Alireza Shahrestani, and Sureswaran Ramadass. 2009. A survey of botnet and botnet detection. In Proceedings of the International Conference on Emerging Security Information, Systems and Technologies. 268--273. Google ScholarDigital Library
- Mark Felegyhazi, Christian Kreibich, and Vern Paxson. 2010. On the potential of proactive domain blacklisting. In Proceedings of the USENIX Conference on Large-scale Exploits and Emergent Threats. Google ScholarDigital Library
- Paul S. Ferrell. Apt infection discovery using DNS data. Retrieved from http://permalink.lanl.gov/object/view?what&equal;info:lanl-repo/lareport/LA-UR-13-23109.Google Scholar
- Sean Ford, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2009. Wepawet. Retrieved from http://wepawet.iseclab.org/. Service discontinued.Google Scholar
- Y. Fu, L. Yu, O. Hambolu, I. Ozcelik, B. Husain, J. Sun, K. Sapra, D. Du, C. T. Beasley, and R. R. Brooks. 2017. Stealthy domain generation algorithms. IEEE Trans. Info. Forensics Secur. 12, 6 (2017), 1430--1443. Google ScholarDigital Library
- Kensuke Fukuda and John Heidemann. 2015. Detecting malicious activity with DNS backscatter. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 197--210. Google ScholarDigital Library
- Hongyu Gao, Vinod Yegneswaran, Yan Chen, Phillip Porras, Shalini Ghosh, Jian Jiang, and Haixin Duan. 2013. An empirical reexamination of global DNS behavior. In ACM SIGCOMM Comput. Commun. Rev. 267--278. Google ScholarDigital Library
- H. Gao, V. Yegneswaran, J. Jiang, Y. Chen, P. Porras, S. Ghosh, and H. Duan. 2016. Reexamining DNS from a global recursive resolver perspective. IEEE/ACM Trans. Netw. 24, 1 (Feb 2016), 43--57. Google ScholarDigital Library
- M. Grill, I. Nikolaev, V. Valeros, and M. Rehak. 2015. Detecting DGA malware using netflow. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management. 1304--1309.Google Scholar
- H. Guerid, K. Mittig, and A. Serhrouchni. 2013. Privacy-preserving domain-flux botnet detection in a large scale network. In Proceedings of the International Conference on Communication Systems and Networks. 1--9.Google Scholar
- Fariba Haddadi, H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2013. Malicious automatically generated domain name detection using stateful-SBB. In Proceedings of the European Conference Applications of Evolutionary Computation. 529--539. Google ScholarDigital Library
- F. Haddadi and A. N. Zincir-Heywood. 2013. Analyzing string format-based classifiers for botnet detection: GP and SVM. In Proceedings of the IEEE Congress on Evolutionary Computation. 2626--2633.Google Scholar
- Shuang Hao, Nick Feamster, and Ramakant Pandrangi. 2011. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 269--278. Google ScholarDigital Library
- Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1568--1579. Google ScholarDigital Library
- Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, and Scott Hollenbeck. 2013. Understanding the domain registration behavior of spammers. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC’13). 63--76. Google ScholarDigital Library
- Dominik Herrmann, Christian Banse, and Hannes Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, Part A (2013), 17--33. Google ScholarDigital Library
- Hoglund, Greg and McGraw, Gary. 2004. Exploiting Software: How to Break Code. Pearson Higher Education. Google ScholarDigital Library
- Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix C. Freiling. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Ching-Hsiang Hsu, Chun-Ying Huang, and Kuan-Ta Chen. 2010. Fast-flux bot detection in real time. In Proceedings of the International Conference on Recent Advances in Intrusion Detection. 464--483. Google ScholarDigital Library
- Xin Hu, M. Knysz, and K. G. Shin. 2011. Measurement and analysis of global IP-usage patterns of fast-flux botnets. In Proceedings of the IEEE INFOCOM. 2633--2641.Google Scholar
- Xin Hu, Matthew Knysz, and Kang G. Shin. 2009. RB-seeker: Auto-detection of redirection botnets. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Yonghong Huang and P. Greve. 2015. Large scale graph mining for web reputation inference. In Proceedings of the IEEE International Workshop on Machine Learning for Signal Processing. 1--6.Google Scholar
- A. K. Jain, M. N. Murty, and P. J. Flynn. 1999. Data clustering: A review. Comput. Surveys 31, 3 (Sept. 1999), 264--323. Google ScholarDigital Library
- Nan Jiang, Jin Cao, Yu Jin, Li Li, and Zhi-Li Zhang. 2010. Identifying suspicious activities through DNS failure graph analysis. In Proceedings of the IEEE International Conference on Network Protocols. 144--153. Google ScholarDigital Library
- Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2011. Escape from monkey island: Evading high-interaction honeyclients. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 124--143. Google ScholarDigital Library
- A. M. Kara, H. Binsalleeh, M. Mannan, A. Youssef, and M. Debbabi. 2014. Detection of malicious payload distribution channels in DNS. In Proceedings of the IEEE International Conference on Communications. 853--858.Google Scholar
- Issa M. Khalil, Ting Yu, and Bei Guan. 2016. Discovering malicious domains through passive DNS data graph analysis. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. 663--674. Google ScholarDigital Library
- M. T. Khan, X. Huo, Z. Li, and C. Kanich. 2015. Every second counts: Quantifying the negative externalities of cybercrime via typosquatting. In Proceedings of the IEEE Symposium on Security and Privacy. 135--150. Google ScholarDigital Library
- S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam. 2014. A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surveys Tutor. 16, 2 (2014), 898--924.Google ScholarCross Ref
- Nizar Kheir, Frédéric Tran, Pierre Caron, and Nicolas Deschamps. 2014. Mentor: Positive DNS reputation to skim-off benign domains in botnet C8C blacklists. In Proceedings of the IFIP TC International Conference on ICT Systems Security and Privacy Protection. 1--14.Google ScholarCross Ref
- M. Khonji, Y. Iraqi, and A. Jones. 2013. Phishing detection: A literature survey. IEEE Commun. Surveys Tutor. 15, 4 (2013), 2091--2121.Google ScholarCross Ref
- Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 569--586. Google ScholarDigital Library
- Matthias Kirchler, Dominik Herrmann, Jens Lindemann, and Marius Kloft. 2016. Tracked without a trace: Linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. 23--34. Google ScholarDigital Library
- Maria Konte, Nick Feamster, and Jaeyeon Jung. 2009. Dynamics of online scam hosting infrastructure. In Proceedings of the International Conference on Passive and Active Network Measurement. 219--228. Google ScholarDigital Library
- S. B. Kotsiantis. 2007. Supervised machine learning: A review of classification techniques. In Proceedings of the Conference on Emerging Artificial Intelligence Applications in Computer Engineering. 3--24. Google ScholarDigital Library
- Athanasios Kountouras, Panagiotis Kintis, Charles Lever, Yizheng Chen, Yacin Nadji, David Dagon, and Manos Antonakakis. 2016. Enabling network security through active DNS datasets. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 188--208.Google ScholarCross Ref
- David Kravets. 2008. ICANN and IANA sites hacked, redirected. Retrieved from https://www.wired.com/2008/06/icann-and-iana/.Google Scholar
- Srinivas Krishnan, Teryl Taylor, Fabian Monrose, and John McHugh. 2013. Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 1--12. Google ScholarDigital Library
- Marc Kührer and Thorsten Holz. 2012. An empirical analysis of malware blacklists. Praxis der Informationsverarbeitung und Kommunikation 35, 1 (2012), 11--16.Google ScholarCross Ref
- Marc Kührer, Christian Rossow, and Thorsten Holz. 2014. Paint it black: Evaluating the effectiveness of malware blacklists. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses.Google ScholarCross Ref
- Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, and Adrian Perrig. 2014. PsyBoG: Power spectral density analysis for detecting botnet groups. In Proceedings of the International Conference on Malicious and Unwanted Software. 85--92.Google ScholarCross Ref
- Kyle York. 2016. Dyn statement on 10/21/2016 DDoS attack. Retrieved from http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.Google Scholar
- Tobias Lauinger, Kaan Onarlioglu, Abdelberi Chaabane, William Robertson, and Engin Kirda. 2016. WHOIS lost in translation: (Mis)understanding domain name expiration and re-registration. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 247--253. Google ScholarDigital Library
- Felix Leder and Tillmann Werner. 2009. Know your enemy: Containing conficker. Retrieved from https://www.honeynet.org/files/KYE-Conficker.pdf.Google Scholar
- J. Lee, J. Kwon, H. J. Shin, and H. Lee. 2010. Tracking multiple C8C botnets by analyzing DNS traffic. In Proceedings of the IEEE Workshop on Secure Network Protocols. 67--72.Google Scholar
- J. Lee and H. Lee. 2014. GMAD: Graph-based malware activity detection by DNS traffic analysis. Comput. Commun. 49 (2014), 33--47. Google ScholarDigital Library
- C. Lever, R. Walls, Y. Nadji, D. Dagon, P. McDaniel, and M. Antonakakis. 2016. Domain-Z: 28 Registrations later measuring the exploitation of residual trust in domains. In Proceedings of the IEEE Symposium on Security and Privacy. 691--706.Google Scholar
- Z. Li, S. Alrwais, X. Wang, and E. Alowaisheq. 2014. Hunting the red fox online: Understanding and detection of mass redirect-script injections. In Proceedings of the IEEE Symposium on Security and Privacy. 3--18. Google ScholarDigital Library
- Daiping Liu, Shuai Hao, and Haining Wang. 2016. All your DNS records point to us: Understanding the security threats of dangling DNS records. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1414--1425. Google ScholarDigital Library
- Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1245--1254. Google ScholarDigital Library
- Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2011. Learning to detect malicious URLs. ACM Trans. Intell. Syst. Technol. 2, 3 (2011), 30:1--30:24. Google ScholarDigital Library
- X. Ma, J. Zhang, J. Tao, J. Li, J. Tian, and X. Guan. 2014. DNSRadar: Outsourcing malicious domain detection based on distributed cache-footprints. IEEE Trans. Info. Forensics Secur. 9, 11 (Nov 2014), 1906--1921. Google ScholarDigital Library
- D. Mahjoub. 2013. Monitoring a fast flux botnet using recursive and passive DNS: A case study. In Proceedings of the eCrime Researchers Summit. 1--9.Google ScholarCross Ref
- Pratyusa Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In Proceedings of the European Symposium on Research in Computer Security. 1--18.Google ScholarDigital Library
- Samuel Marchal, Jérôme François, Radu State, and Thomas Engel. 2012. Proactive discovery of phishing related domain names. In Proceedings of the International Symposium Research in Attacks, Intrusions, and Defenses. 190--209. Google ScholarDigital Library
- MaxMind. GeoLite2 Databases. Retrieved from http://www.maxmind.com.Google Scholar
- Igor Mishsky, Nurit Gal-Oz, and Ehud Gudes. 2015. A topology based flow model for computing domain reputation. In Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, 277--292.Google ScholarCross Ref
- Thomas M. Mitchell. 1997. Machine Learning (1st ed.). McGraw-Hill, Inc. Google ScholarDigital Library
- P. Mockapetris. 1983. Domain Names: Concepts and Facilities. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc882. Google Scholar
- P. V. Mockapetris. 1983. Domain Names: Implementation and Specification. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc883. Google ScholarDigital Library
- P. Mockapetris. 1987. Domain Names: Concepts and Facilities. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc1034. Google ScholarDigital Library
- P. Mockapetris. 1987. Domain Names: Implementation and Specification. Technical Report. Internet Engineering Task Force. https://tools.ietf.org/html/rfc1035. Google ScholarDigital Library
- J. A. Morales, A. Al-Bataineh, Shouhuai Xu, and R. Sandhu. 2009. Analyzing DNS activities of bot processes. In Proceedings of the International Conference on Malicious and Unwanted Software. 98--103.Google Scholar
- Jason Murdock. 2016. Linux Mint Hack: 71,000 User accounts stolen and malware planted using Tsunami backdoor. http://goo.gl/CNY4gB.Google Scholar
- Yacin Nadji, Manos Antonakakis, Roberto Perdisci, and Wenke Lee. 2013. Connected colors: Unveiling the structure of criminal networks. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 390--410. Google ScholarDigital Library
- Jose Nazario and Thorsten Holz. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the International Conference on Malicious and Unwanted Software. 24--31.Google ScholarCross Ref
- Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for new C8C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium. 589--604. Google ScholarDigital Library
- Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2014. Soundsquatting: Uncovering the use of homophones in domain squatting. In Proceedings of the International Conference on Information Security. 291--308.Google ScholarCross Ref
- Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2013. Bitsquatting: Exploiting bit-flips for fun, or profit? In Proceedings of the International Conference on World Wide Web. 989--998. Google ScholarDigital Library
- OpenDNS. PhishTank. Retrieved from https://www.phishtank.com/.Google Scholar
- A. Oprea, Z. Li, T. F. Yen, S. H. Chin, and S. Alrwais. 2015. Detection of early-stage enterprise infection by mining large-scale log data. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 45--56. Google ScholarDigital Library
- Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi. 2008. FluXOR: Detecting and monitoring fast-flux service networks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 186--206. Google ScholarDigital Library
- R. Perdisci, I. Corona, D. Dagon, and Wenke Lee. 2009. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference. 311--320. Google ScholarDigital Library
- R. Perdisci, I. Corona, and G. Giacinto. 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Depend. Secure Comput. 9, 5 (2012), 714--726. Google ScholarDigital Library
- Iria Prieto, Eduardo Magaña, Daniel Morató, and Mikel Izal. 2011. Botnet detection based on DNS records and active probing. In Proceedings of the International Conference on Security and Cryptography. 307--316.Google Scholar
- Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. 2008. All your iFRAMEs point to us. In Proceedings of the USENIX Security Symposium. 1--15. Google ScholarDigital Library
- Zhiyun Qian, Zhuoqing Morley Mao, Yinglian Xie, and Fang Yu. 2010. On network-level clusters for spam detection. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- B. Rahbarinia, R. Perdisci, and M. Antonakakis. 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 403--414. Google ScholarDigital Library
- Babak Rahbarinia, Roberto Perdisci, and Manos Antonakakis. 2016. Efficient and accurate behavior-based tracking of malware-control domains in large ISP networks. ACM Trans. Privacy Secur. 19, 2 (Aug. 2016), 4:1--4:31. Google ScholarDigital Library
- A. Ramachandran, D. Dagon, and Nick Feamster. 2006. Can DNS-based blacklists keep up with bots. In Proceedings of the Conference on Email and Anti-Spam.Google Scholar
- Christian Rossow. 2014. Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- Doyen Sahoo, Chenghao Liu, and Steven C. H. Hoi. 2017. Malicious URL detection using machine learning: A survey. CoRR abs/1701.07179. Retrieved from http://arxiv.org/abs/1701.07179.Google Scholar
- Arthur L. Samuel. 1959. Some studies in machine learning using the game of checkers. IBM J. Res. Dev. 3, 3 (1959), 210--229. Google ScholarDigital Library
- Kazumichi Sato, Keisuke Ishibashi, Tsuyoshi Toyono, and Nobuhisa Miyake. 2010. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. 8--8. Google ScholarDigital Library
- Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based botnet tracking and intelligence. In Proceedings of the International Conference Detection of Intrusions and Malware, and Vulnerability Assessment. 192--211.Google ScholarCross Ref
- Security and Stability Advisory Committee. 2009. SAC 40: Measures to Protect Domain Registration Services Against Exploitation or Misuse. (August 2009). Retrieved from https://www.icann.org/en/system/files/files/sac-040-en.pdf.Google Scholar
- C. Seifert, I. Welch, P. Komisarczuk, C. U. Aval, and B. Endicott-Popovsky. 2008. Identification of malicious web pages through analysis of underlying DNS and web server relationships. In Proceedings of the IEEE Conference on Local Computer Networks. 935--941.Google Scholar
- Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. In Proceedings of the Conference on Email and Anti-Spam.Google Scholar
- Seungwon Shin, Zhaoyan Xu, and Guofei Gu. 2012. EFFORT: Efficient and effective bot malware detection. In Proceedings of the IEEE INFOCOM. 2846--2850.Google Scholar
- S. Sinha, M. Bailey, and F. Jahanian. 2008. Shades of grey: On the effectiveness of reputation-based “blacklists.” In Proceedings of the International Conference on Malicious and Unwanted Software. 57--64.Google Scholar
- A. K. Sood and S. Zeadally. 2016. A taxonomy of domain-generation algorithms. IEEE Secur. Priv. 14, 4 (2016), 46--53. Google ScholarDigital Library
- Nikita Spirin and Jiawei Han. 2012. Survey on web spam detection: Principles and algorithms. ACM SIGKDD Explor. Newslett. 13, 2 (2012), 50--64. Google ScholarDigital Library
- Etienne Stalmans. 2011. A framework for DNS based detection and mitigation of malware infections on a network. In Proceedings of the Information Security South Africa Conference.Google ScholarCross Ref
- Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, and Stefan Ruehrup. 2017. A method for identifying compromised clients based on DNS traffic analysis. Int. J. Info. Secur. 16, 2 (2017), 115--132. Google ScholarDigital Library
- Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, Stefan Ruehrup, and Andreas Berger. 2015. On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55 (Nov. 2015), 142--158. Google ScholarDigital Library
- Elizabeth Stinson and John C. Mitchell. 2008. Towards systematic evaluation of the evadability of bot/botnet detection methods. In Proceedings of the USENIX Workshop on Offensive Technologies. 5:1--5:9. Google ScholarDigital Library
- Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. 2014. The long “taile” of typosquatting domain names. In Proceedings of the USENIX Security Symposium. 191--206. Google ScholarDigital Library
- The DNS-BH project. DNS-BH—Malware domain blocklist. Retrieved from http://www.malwaredomains.com/.Google Scholar
- Matthew Thomas and Aziz Mohaisen. 2014. Kindred domains: Detecting and clustering botnet domains using DNS traffic. In Proceedings of the International Conference on World Wide Web. 707--712. Google ScholarDigital Library
- Van Tong and Giang Nguyen. 2016. A method for detecting DGA botnet based on semantic and cluster analysis. In Proceedings of the Symposium on Information and Communication Technology. 272--277. Google ScholarDigital Library
- Verisign, Inc.2016. Internet Grows to 314 Million Domain Names in the Fourth Quarter of 2015. (April 2016). Retrieved from https://www.verisign.com/assets/press-release-DNIB-april2016.pdf.Google Scholar
- R. Villamarin-Salomon and J. C. Brustoloni. 2008. Identifying botnets using anomaly detection techniques applied to DNS traffic. In Proceedings of the IEEE Consumer Communications and Networking Conference. 476--481.Google Scholar
- Ricardo Villamarín-Salomón and José Carlos Brustoloni. 2009. Bayesian bot detection based on DNS traffic similarity. In Proceedings of the ACM Symposium on Applied Computing. 2035--2041. Google ScholarDigital Library
- VirusTotal, Subsidiary of Google. VirusTotal—Free online virus, malware, and URL scanner. Retrieved from https://www.virustotal.com/.Google Scholar
- Qiong Wei and Roland L. Dunbrack, Jr. 2013. The role of balanced training and testing data sets for binary classifiers in bioinformatics. PLOS ONE 8 (07 2013), 1--12.Google Scholar
- Florian Weimer. 2005. Passive DNS replication. In Proceedings of the Conference on Computer Security Incident. 98.Google Scholar
- Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel. 2010. Is the internet for porn? An insight into the online adult industry. In Proceedings of the Annual Workshop on the Economics of Information Security.Google Scholar
- Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant. 2016. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. arXiv:arXiv:1611.00791.Google Scholar
- Steven Wright. 2012. Cybersquatting at the intersection of internet domain names and trademark law. IEEE Commun. Surveys Tutor. 14, 1 (2012), 193--205.Google ScholarCross Ref
- Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2010. Detecting algorithmically generated malicious domain names. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 48--61. Google ScholarDigital Library
- Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2012. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20, 5 (2012), 1663--1677. Google ScholarDigital Library
- Sandeep Yadav and A. L. Narasimha Reddy. 2011. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of the International ICST Conference Security and Privacy in Communication Networks. 446--459.Google Scholar
- Ting-Fang Yen and Michael K. Reiter. 2008. Traffic aggregation for malware detection. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 207--227. Google ScholarDigital Library
- Bin Yu, Les Smith, and Mark Threefoot. 2014. Semi-supervised time series modeling for real-time flux domain detection on passive DNS traffic. In Proceedings of the International Conference Machine Learning and Data Mining in Pattern Recognition. 258--271.Google ScholarCross Ref
- Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. 2007. Passive monitoring of DNS anomalies. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 129--139. Google ScholarDigital Library
- Jialong Zhang, Sabyasachi Saha, Guofei Gu, Sung-Ju Lee, and Marco Mellia. 2015. Systematic mining of associated server herds for malware campaign discovery. In Proceedings of the IEEE International Conference on Distributed Computing Systems. 630--641.Google ScholarCross Ref
- F. Zhao, Y. Hori, and K. Sakurai. 2007. Analysis of privacy disclosure in DNS query. In Proceedings of the International Conference on Multimedia and Ubiquitous Engineering. 952--957. Google ScholarDigital Library
- Xiaojin Zhu. 2005. Semi-Supervised Learning Literature Survey. Technical Report 1530. Computer Science, University of Wisconsin-Madison.Google Scholar
- Futai Zou, Siyu Zhang, Weixiong Rao, and Ping Yi. 2015. Detecting malware based on DNS graph mining. Int. J. Distrib. Sensor Netw. 2015 (2015). Google ScholarDigital Library
- Hiba Zuhair, Ali Selamat, and Mazleena Salleh. 2016. Feature selection for phishing detection: A review of research. Int. J. Intell. Syst. Technol. Appl. 15, 2 (May 2016), 147--162. Google ScholarDigital Library
Index Terms
- A Survey on Malicious Domains Detection through DNS Data Analysis
Recommendations
Discovering Malicious Domains through Passive DNS Data Graph Analysis
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityMalicious domains are key components to a variety of cyber attacks. Several recent techniques are proposed to identify malicious domains through analysis of DNS data. The general approach is to build classifiers based on DNS-related local domain ...
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent SystemsA large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and ProgrammingBonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...
Comments