survey

A Survey on Malicious Domains Detection through DNS Data Analysis

Authors:
Yury Zhauniarovich

Qatar Computing Research Institute, HBKU, Qatar

Qatar Computing Research Institute, HBKU, Qatar

0000-0001-9116-0728
View Profile

,
Issa Khalil

Qatar Computing Research Institute, HBKU, Qatar

Qatar Computing Research Institute, HBKU, Qatar
View Profile

,
Ting Yu

Qatar Computing Research Institute, HBKU, Qatar

Qatar Computing Research Institute, HBKU, Qatar
View Profile

,
Marc Dacier

Eurecom, France

Eurecom, France
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 51 Issue 4Article No.: 67pp 1–36https://doi.org/10.1145/3191329

Published:06 July 2018Publication History

ACM Computing Surveys

Abstract

Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group.

In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

References

Anubis. Retrieved from http://anubis.iseclab.org/. Service discontinued.Google Scholar
Apache Giraph. Retrieved from http://giraph.apache.org/.Google Scholar
Apache Hadoop. Retrieved from http://hadoop.apache.org/.Google Scholar
DNSCrypt—Official Project Home Page. Retrieved from https://dnscrypt.org/.Google Scholar
DomainHistory.net: Detailed domain name information and archives in one place. Retrieved from http://www.domainhistory.net/.Google Scholar
DomainTools: Whois information. Retrieved from http://whois.domaintools.com/.Google Scholar
Google Public DNS. Retrieved from https://developers.google.com/speed/public-dns/.Google Scholar
Google Safe Browsing. Retrieved from https://developers.google.com/safe-browsing/.Google Scholar
Malware Domain List. Retrieved from https://www.malwaredomainlist.com/.Google Scholar
McAfee SiteAdvisor. Retrieved from http://www.siteadvisor.com/.Google Scholar
Norton ConnectSafe. Retrieved from https://dns.norton.com/.Google Scholar
OpenDNS Premium DNS. Retrieved from https://signup.opendns.com/premiumdns/.Google Scholar
OpenPhish. Retrieved from https://openphish.com/.Google Scholar
Shodan: The Search Engine for …Retrieved from https://www.shodan.io/.Google Scholar
Spamhaus. Retrieved from https://www.spamhaus.org/.Google Scholar
Team Cymru. Retrieved from http://www.team-cymru.org/.Google Scholar
The Internet Corporation for Assigned Names and Numbers (ICANN). Retrieved from https://www.icann.org/.Google Scholar
URLVoid: Website reputation checker tool. Retrieved from http://www.urlvoid.com/.Google Scholar
Web of Trust (WOT)—Crowdsourced web safety. Retrieved from https://www.mywot.com/.Google Scholar
Who.is: WHOIS search, domain name, website, and IP tools. Retrieved from https://who.is.Google Scholar
Yahoo Webspam Database. Retrieved from http://barcelona.research.yahoo.net/webspam/datasets/uk2007/. Service discontinued.Google Scholar
2002. Vulnerability Note VU#457875: Various DNS service implementations generate multiple simultaneous queries for the same resource record. Retrieved from http://www.kb.cert.org/vuls/id/457875.Google Scholar
2008. Vulnerability Note VU#800113: Multiple DNS implementations vulnerable to cache poisoning. Retrieved from http://www.kb.cert.org/vuls/id/800113.Google Scholar
Pieter Agten, Wouter Joosen, Frank Piessens, and Nick Nikiforakis. 2015. Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
Alexa. Alexa Top Sites. Retrieved from http://aws.amazon.com/alexa-top-sites/.Google Scholar
Kamal Alieyan, Ammar Almomani, Ahmad Manasrah, and Mohammed M. Kadhum. 2017. A survey of botnet detection based on DNS. Neural Computing and Applications 28, 7 (2017), 1541--1558. Google ScholarDigital Library
Hyrum S. Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially tuned domain generation and detection. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. 13--21. Google ScholarDigital Library
Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the USENIX Security Symposium. 273--290. Google ScholarDigital Library
Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, II, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium. 27--27. Google ScholarDigital Library
Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the USENIX Security Symposium. 24--24. Google ScholarDigital Library
Ionut Arghire. 2016. Sarvdap spambot checks IP blacklists. (Retrieved from http://www.securityweek.com/sarvdap-spambot-checks-ip-blacklists.Google Scholar
Anirban Banerjee, Md Sazzadur Rahman, and Michalis Faloutsos. 2011. SUT: Quantifying and mitigating URL typosquatting. Comput. Netw. 55, 13 (2011), 3001--3014. Google ScholarDigital Library
Steven M. Bellovin. 1995. Using the domain name system for system break-ins. In Proceedings of the Conference on USENIX UNIX Security Symposium. 18--18. Google ScholarDigital Library
Andreas Berger and Wilfried N. Gansterer. 2013. Modeling DNS agility with DNSMap. In Proceedings of the IEEE Conference on Computer Communications Workshops. 387--392.Google Scholar
Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
Leyla Bilge, Sevil Sen, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2014. Exposure: A passive DNS analysis service to detect and report malicious domains. ACM Trans. Info. Syst. Secur. 16, 4 (apr 2014), 14:1--14:28. Google ScholarDigital Library
N. Brownlee, K. C. Claffy, and E. Nemeth. 2001. DNS measurements at a root server. In Proceedings of the Global Telecommunications Conference, Vol. 3. 1672--1676.Google Scholar
Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the International Conference on World Wide Web. 197--206. Google ScholarDigital Library
Biz Carson. 2016. This guy bought “Google.com” from Google for one minute. Retrieved from http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9.Google Scholar
Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. 2008. A day at the root of the internet. SIGCOMM Comput. Commun. Rev. 38, 5 (2008), 41--46. Google ScholarDigital Library
Olivier Chapelle, Bernhard Schlkopf, and Alexander Zien. 2010. Semi-Supervised Learning (1st ed.). The MIT Press. Google ScholarDigital Library
Nitesh V. Chawla. 2005. Data Mining for Imbalanced Datasets: An Overview. 853--867.Google Scholar
Pern Hui Chia and Svein Johan Knapskog. 2012. Re-evaluating the wisdom of crowds in assessing web security. In Proceedings of the International Conference on Financial Cryptography and Data Security. 299--314. Google ScholarDigital Library
Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Takeshi Yada, Tatsuya Mori, and Shigeki Goto. 2016. DomainProfiler: Discovering domain names abused in future. Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 491--502.Google ScholarCross Ref
Hyunsang Choi and Heejo Lee. 2012. Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56, 1 (2012), 20--33. Google ScholarDigital Library
Hyunsang Choi, Heejo Lee, and Hyogon Kim. 2009. BotGAD: Detecting botnets by capturing group activities in network traffic. In Proceedings of the International ICST Conference on Communication System Software and Middleware. 2:1--2:8. Google ScholarDigital Library
Hyunsang Choi, Hanwoo Lee, Heejo Lee, and Hyogon Kim. 2007. Botnet detection by monitoring group activities in DNS traffic. In Proceedings of the IEEE International Conference on Computer and Information Technology. 715--720. Google ScholarDigital Library
Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the International Conference on World Wide Web. 281--290. Google ScholarDigital Library
L. Daigle. 2004. WHOIS Protocol Specification. RFC 3912. Internet engineering task force. Retrieved from https://tools.ietf.org/html/rfc3912.Google Scholar
Ruchi Dhole and Shobha Lolge. 2016. A survey of botnet detection techniques and research challenges. Int. J. Innovat. Res. Comput. Commun. Eng. 4 (2016), 244--249. Issue 1.Google Scholar
Christian J. Dietrich and Christian Rossow. 2009. Empirical research of IP blacklists. In Proceedings of the Information Security Solutions Europe Conference. 163--171.Google Scholar
Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, and Norbert Pohlmann. 2011. On botnets that use DNS for command and control. In Proceedings of the European Conference on Computer Network Defense. 9--16. Google ScholarDigital Library
Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A search engine backed by internet-wide scanning. In Proceedings of the ACM Conference on Computer and Communications Security. Google ScholarDigital Library
Birhanu Eshete, Adolfo Villafiorita, and Komminist Weldemariam. 2013. BINSPECT: Holistic analysis and detection of malicious web pages. In Proceedings of the International ICST Conference on Security and Privacy in Communication Networks. 149--166.Google ScholarCross Ref
Farsight Security, Inc. DNS Database. Retrieved from https://www.dnsdb.info/.Google Scholar
Maryam Feily, Alireza Shahrestani, and Sureswaran Ramadass. 2009. A survey of botnet and botnet detection. In Proceedings of the International Conference on Emerging Security Information, Systems and Technologies. 268--273. Google ScholarDigital Library
Mark Felegyhazi, Christian Kreibich, and Vern Paxson. 2010. On the potential of proactive domain blacklisting. In Proceedings of the USENIX Conference on Large-scale Exploits and Emergent Threats. Google ScholarDigital Library
Paul S. Ferrell. Apt infection discovery using DNS data. Retrieved from http://permalink.lanl.gov/object/view?what&equal;info:lanl-repo/lareport/LA-UR-13-23109.Google Scholar
Sean Ford, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2009. Wepawet. Retrieved from http://wepawet.iseclab.org/. Service discontinued.Google Scholar
Y. Fu, L. Yu, O. Hambolu, I. Ozcelik, B. Husain, J. Sun, K. Sapra, D. Du, C. T. Beasley, and R. R. Brooks. 2017. Stealthy domain generation algorithms. IEEE Trans. Info. Forensics Secur. 12, 6 (2017), 1430--1443. Google ScholarDigital Library
Kensuke Fukuda and John Heidemann. 2015. Detecting malicious activity with DNS backscatter. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 197--210. Google ScholarDigital Library
Hongyu Gao, Vinod Yegneswaran, Yan Chen, Phillip Porras, Shalini Ghosh, Jian Jiang, and Haixin Duan. 2013. An empirical reexamination of global DNS behavior. In ACM SIGCOMM Comput. Commun. Rev. 267--278. Google ScholarDigital Library
H. Gao, V. Yegneswaran, J. Jiang, Y. Chen, P. Porras, S. Ghosh, and H. Duan. 2016. Reexamining DNS from a global recursive resolver perspective. IEEE/ACM Trans. Netw. 24, 1 (Feb 2016), 43--57. Google ScholarDigital Library
M. Grill, I. Nikolaev, V. Valeros, and M. Rehak. 2015. Detecting DGA malware using netflow. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management. 1304--1309.Google Scholar
H. Guerid, K. Mittig, and A. Serhrouchni. 2013. Privacy-preserving domain-flux botnet detection in a large scale network. In Proceedings of the International Conference on Communication Systems and Networks. 1--9.Google Scholar
Fariba Haddadi, H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2013. Malicious automatically generated domain name detection using stateful-SBB. In Proceedings of the European Conference Applications of Evolutionary Computation. 529--539. Google ScholarDigital Library
F. Haddadi and A. N. Zincir-Heywood. 2013. Analyzing string format-based classifiers for botnet detection: GP and SVM. In Proceedings of the IEEE Congress on Evolutionary Computation. 2626--2633.Google Scholar
Shuang Hao, Nick Feamster, and Ramakant Pandrangi. 2011. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 269--278. Google ScholarDigital Library
Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1568--1579. Google ScholarDigital Library
Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, and Scott Hollenbeck. 2013. Understanding the domain registration behavior of spammers. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC’13). 63--76. Google ScholarDigital Library
Dominik Herrmann, Christian Banse, and Hannes Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, Part A (2013), 17--33. Google ScholarDigital Library
Hoglund, Greg and McGraw, Gary. 2004. Exploiting Software: How to Break Code. Pearson Higher Education. Google ScholarDigital Library
Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix C. Freiling. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
Ching-Hsiang Hsu, Chun-Ying Huang, and Kuan-Ta Chen. 2010. Fast-flux bot detection in real time. In Proceedings of the International Conference on Recent Advances in Intrusion Detection. 464--483. Google ScholarDigital Library
Xin Hu, M. Knysz, and K. G. Shin. 2011. Measurement and analysis of global IP-usage patterns of fast-flux botnets. In Proceedings of the IEEE INFOCOM. 2633--2641.Google Scholar
Xin Hu, Matthew Knysz, and Kang G. Shin. 2009. RB-seeker: Auto-detection of redirection botnets. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
Yonghong Huang and P. Greve. 2015. Large scale graph mining for web reputation inference. In Proceedings of the IEEE International Workshop on Machine Learning for Signal Processing. 1--6.Google Scholar
A. K. Jain, M. N. Murty, and P. J. Flynn. 1999. Data clustering: A review. Comput. Surveys 31, 3 (Sept. 1999), 264--323. Google ScholarDigital Library
Nan Jiang, Jin Cao, Yu Jin, Li Li, and Zhi-Li Zhang. 2010. Identifying suspicious activities through DNS failure graph analysis. In Proceedings of the IEEE International Conference on Network Protocols. 144--153. Google ScholarDigital Library
Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2011. Escape from monkey island: Evading high-interaction honeyclients. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 124--143. Google ScholarDigital Library
A. M. Kara, H. Binsalleeh, M. Mannan, A. Youssef, and M. Debbabi. 2014. Detection of malicious payload distribution channels in DNS. In Proceedings of the IEEE International Conference on Communications. 853--858.Google Scholar
Issa M. Khalil, Ting Yu, and Bei Guan. 2016. Discovering malicious domains through passive DNS data graph analysis. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. 663--674. Google ScholarDigital Library
M. T. Khan, X. Huo, Z. Li, and C. Kanich. 2015. Every second counts: Quantifying the negative externalities of cybercrime via typosquatting. In Proceedings of the IEEE Symposium on Security and Privacy. 135--150. Google ScholarDigital Library
S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam. 2014. A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surveys Tutor. 16, 2 (2014), 898--924.Google ScholarCross Ref
Nizar Kheir, Frédéric Tran, Pierre Caron, and Nicolas Deschamps. 2014. Mentor: Positive DNS reputation to skim-off benign domains in botnet C8C blacklists. In Proceedings of the IFIP TC International Conference on ICT Systems Security and Privacy Protection. 1--14.Google ScholarCross Ref
M. Khonji, Y. Iraqi, and A. Jones. 2013. Phishing detection: A literature survey. IEEE Commun. Surveys Tutor. 15, 4 (2013), 2091--2121.Google ScholarCross Ref
Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 569--586. Google ScholarDigital Library
Matthias Kirchler, Dominik Herrmann, Jens Lindemann, and Marius Kloft. 2016. Tracked without a trace: Linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. 23--34. Google ScholarDigital Library
Maria Konte, Nick Feamster, and Jaeyeon Jung. 2009. Dynamics of online scam hosting infrastructure. In Proceedings of the International Conference on Passive and Active Network Measurement. 219--228. Google ScholarDigital Library
S. B. Kotsiantis. 2007. Supervised machine learning: A review of classification techniques. In Proceedings of the Conference on Emerging Artificial Intelligence Applications in Computer Engineering. 3--24. Google ScholarDigital Library
Athanasios Kountouras, Panagiotis Kintis, Charles Lever, Yizheng Chen, Yacin Nadji, David Dagon, and Manos Antonakakis. 2016. Enabling network security through active DNS datasets. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 188--208.Google ScholarCross Ref
David Kravets. 2008. ICANN and IANA sites hacked, redirected. Retrieved from https://www.wired.com/2008/06/icann-and-iana/.Google Scholar
Srinivas Krishnan, Teryl Taylor, Fabian Monrose, and John McHugh. 2013. Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 1--12. Google ScholarDigital Library
Marc Kührer and Thorsten Holz. 2012. An empirical analysis of malware blacklists. Praxis der Informationsverarbeitung und Kommunikation 35, 1 (2012), 11--16.Google ScholarCross Ref
Marc Kührer, Christian Rossow, and Thorsten Holz. 2014. Paint it black: Evaluating the effectiveness of malware blacklists. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses.Google ScholarCross Ref
Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, and Adrian Perrig. 2014. PsyBoG: Power spectral density analysis for detecting botnet groups. In Proceedings of the International Conference on Malicious and Unwanted Software. 85--92.Google ScholarCross Ref
Kyle York. 2016. Dyn statement on 10/21/2016 DDoS attack. Retrieved from http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.Google Scholar
Tobias Lauinger, Kaan Onarlioglu, Abdelberi Chaabane, William Robertson, and Engin Kirda. 2016. WHOIS lost in translation: (Mis)understanding domain name expiration and re-registration. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 247--253. Google ScholarDigital Library
Felix Leder and Tillmann Werner. 2009. Know your enemy: Containing conficker. Retrieved from https://www.honeynet.org/files/KYE-Conficker.pdf.Google Scholar
J. Lee, J. Kwon, H. J. Shin, and H. Lee. 2010. Tracking multiple C8C botnets by analyzing DNS traffic. In Proceedings of the IEEE Workshop on Secure Network Protocols. 67--72.Google Scholar
J. Lee and H. Lee. 2014. GMAD: Graph-based malware activity detection by DNS traffic analysis. Comput. Commun. 49 (2014), 33--47. Google ScholarDigital Library
C. Lever, R. Walls, Y. Nadji, D. Dagon, P. McDaniel, and M. Antonakakis. 2016. Domain-Z: 28 Registrations later measuring the exploitation of residual trust in domains. In Proceedings of the IEEE Symposium on Security and Privacy. 691--706.Google Scholar
Z. Li, S. Alrwais, X. Wang, and E. Alowaisheq. 2014. Hunting the red fox online: Understanding and detection of mass redirect-script injections. In Proceedings of the IEEE Symposium on Security and Privacy. 3--18. Google ScholarDigital Library
Daiping Liu, Shuai Hao, and Haining Wang. 2016. All your DNS records point to us: Understanding the security threats of dangling DNS records. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1414--1425. Google ScholarDigital Library
Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1245--1254. Google ScholarDigital Library
Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2011. Learning to detect malicious URLs. ACM Trans. Intell. Syst. Technol. 2, 3 (2011), 30:1--30:24. Google ScholarDigital Library
X. Ma, J. Zhang, J. Tao, J. Li, J. Tian, and X. Guan. 2014. DNSRadar: Outsourcing malicious domain detection based on distributed cache-footprints. IEEE Trans. Info. Forensics Secur. 9, 11 (Nov 2014), 1906--1921. Google ScholarDigital Library
D. Mahjoub. 2013. Monitoring a fast flux botnet using recursive and passive DNS: A case study. In Proceedings of the eCrime Researchers Summit. 1--9.Google ScholarCross Ref
Pratyusa Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In Proceedings of the European Symposium on Research in Computer Security. 1--18.Google ScholarDigital Library
Samuel Marchal, Jérôme François, Radu State, and Thomas Engel. 2012. Proactive discovery of phishing related domain names. In Proceedings of the International Symposium Research in Attacks, Intrusions, and Defenses. 190--209. Google ScholarDigital Library
MaxMind. GeoLite2 Databases. Retrieved from http://www.maxmind.com.Google Scholar
Igor Mishsky, Nurit Gal-Oz, and Ehud Gudes. 2015. A topology based flow model for computing domain reputation. In Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, 277--292.Google ScholarCross Ref
Thomas M. Mitchell. 1997. Machine Learning (1st ed.). McGraw-Hill, Inc. Google ScholarDigital Library
P. Mockapetris. 1983. Domain Names: Concepts and Facilities. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc882. Google Scholar
P. V. Mockapetris. 1983. Domain Names: Implementation and Specification. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc883. Google ScholarDigital Library
P. Mockapetris. 1987. Domain Names: Concepts and Facilities. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc1034. Google ScholarDigital Library
P. Mockapetris. 1987. Domain Names: Implementation and Specification. Technical Report. Internet Engineering Task Force. https://tools.ietf.org/html/rfc1035. Google ScholarDigital Library
J. A. Morales, A. Al-Bataineh, Shouhuai Xu, and R. Sandhu. 2009. Analyzing DNS activities of bot processes. In Proceedings of the International Conference on Malicious and Unwanted Software. 98--103.Google Scholar
Jason Murdock. 2016. Linux Mint Hack: 71,000 User accounts stolen and malware planted using Tsunami backdoor. http://goo.gl/CNY4gB.Google Scholar
Yacin Nadji, Manos Antonakakis, Roberto Perdisci, and Wenke Lee. 2013. Connected colors: Unveiling the structure of criminal networks. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 390--410. Google ScholarDigital Library
Jose Nazario and Thorsten Holz. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the International Conference on Malicious and Unwanted Software. 24--31.Google ScholarCross Ref
Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for new C8C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium. 589--604. Google ScholarDigital Library
Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2014. Soundsquatting: Uncovering the use of homophones in domain squatting. In Proceedings of the International Conference on Information Security. 291--308.Google ScholarCross Ref
Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2013. Bitsquatting: Exploiting bit-flips for fun, or profit? In Proceedings of the International Conference on World Wide Web. 989--998. Google ScholarDigital Library
OpenDNS. PhishTank. Retrieved from https://www.phishtank.com/.Google Scholar
A. Oprea, Z. Li, T. F. Yen, S. H. Chin, and S. Alrwais. 2015. Detection of early-stage enterprise infection by mining large-scale log data. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 45--56. Google ScholarDigital Library
Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi. 2008. FluXOR: Detecting and monitoring fast-flux service networks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 186--206. Google ScholarDigital Library
R. Perdisci, I. Corona, D. Dagon, and Wenke Lee. 2009. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference. 311--320. Google ScholarDigital Library
R. Perdisci, I. Corona, and G. Giacinto. 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Depend. Secure Comput. 9, 5 (2012), 714--726. Google ScholarDigital Library
Iria Prieto, Eduardo Magaña, Daniel Morató, and Mikel Izal. 2011. Botnet detection based on DNS records and active probing. In Proceedings of the International Conference on Security and Cryptography. 307--316.Google Scholar
Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. 2008. All your iFRAMEs point to us. In Proceedings of the USENIX Security Symposium. 1--15. Google ScholarDigital Library
Zhiyun Qian, Zhuoqing Morley Mao, Yinglian Xie, and Fang Yu. 2010. On network-level clusters for spam detection. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
B. Rahbarinia, R. Perdisci, and M. Antonakakis. 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 403--414. Google ScholarDigital Library
Babak Rahbarinia, Roberto Perdisci, and Manos Antonakakis. 2016. Efficient and accurate behavior-based tracking of malware-control domains in large ISP networks. ACM Trans. Privacy Secur. 19, 2 (Aug. 2016), 4:1--4:31. Google ScholarDigital Library
A. Ramachandran, D. Dagon, and Nick Feamster. 2006. Can DNS-based blacklists keep up with bots. In Proceedings of the Conference on Email and Anti-Spam.Google Scholar
Christian Rossow. 2014. Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
Doyen Sahoo, Chenghao Liu, and Steven C. H. Hoi. 2017. Malicious URL detection using machine learning: A survey. CoRR abs/1701.07179. Retrieved from http://arxiv.org/abs/1701.07179.Google Scholar
Arthur L. Samuel. 1959. Some studies in machine learning using the game of checkers. IBM J. Res. Dev. 3, 3 (1959), 210--229. Google ScholarDigital Library
Kazumichi Sato, Keisuke Ishibashi, Tsuyoshi Toyono, and Nobuhisa Miyake. 2010. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. 8--8. Google ScholarDigital Library
Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based botnet tracking and intelligence. In Proceedings of the International Conference Detection of Intrusions and Malware, and Vulnerability Assessment. 192--211.Google ScholarCross Ref
Security and Stability Advisory Committee. 2009. SAC 40: Measures to Protect Domain Registration Services Against Exploitation or Misuse. (August 2009). Retrieved from https://www.icann.org/en/system/files/files/sac-040-en.pdf.Google Scholar
C. Seifert, I. Welch, P. Komisarczuk, C. U. Aval, and B. Endicott-Popovsky. 2008. Identification of malicious web pages through analysis of underlying DNS and web server relationships. In Proceedings of the IEEE Conference on Local Computer Networks. 935--941.Google Scholar
Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. In Proceedings of the Conference on Email and Anti-Spam.Google Scholar
Seungwon Shin, Zhaoyan Xu, and Guofei Gu. 2012. EFFORT: Efficient and effective bot malware detection. In Proceedings of the IEEE INFOCOM. 2846--2850.Google Scholar
S. Sinha, M. Bailey, and F. Jahanian. 2008. Shades of grey: On the effectiveness of reputation-based “blacklists.” In Proceedings of the International Conference on Malicious and Unwanted Software. 57--64.Google Scholar
A. K. Sood and S. Zeadally. 2016. A taxonomy of domain-generation algorithms. IEEE Secur. Priv. 14, 4 (2016), 46--53. Google ScholarDigital Library
Nikita Spirin and Jiawei Han. 2012. Survey on web spam detection: Principles and algorithms. ACM SIGKDD Explor. Newslett. 13, 2 (2012), 50--64. Google ScholarDigital Library
Etienne Stalmans. 2011. A framework for DNS based detection and mitigation of malware infections on a network. In Proceedings of the Information Security South Africa Conference.Google ScholarCross Ref
Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, and Stefan Ruehrup. 2017. A method for identifying compromised clients based on DNS traffic analysis. Int. J. Info. Secur. 16, 2 (2017), 115--132. Google ScholarDigital Library
Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, Stefan Ruehrup, and Andreas Berger. 2015. On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55 (Nov. 2015), 142--158. Google ScholarDigital Library
Elizabeth Stinson and John C. Mitchell. 2008. Towards systematic evaluation of the evadability of bot/botnet detection methods. In Proceedings of the USENIX Workshop on Offensive Technologies. 5:1--5:9. Google ScholarDigital Library
Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. 2014. The long “taile” of typosquatting domain names. In Proceedings of the USENIX Security Symposium. 191--206. Google ScholarDigital Library
The DNS-BH project. DNS-BH—Malware domain blocklist. Retrieved from http://www.malwaredomains.com/.Google Scholar
Matthew Thomas and Aziz Mohaisen. 2014. Kindred domains: Detecting and clustering botnet domains using DNS traffic. In Proceedings of the International Conference on World Wide Web. 707--712. Google ScholarDigital Library
Van Tong and Giang Nguyen. 2016. A method for detecting DGA botnet based on semantic and cluster analysis. In Proceedings of the Symposium on Information and Communication Technology. 272--277. Google ScholarDigital Library
Verisign, Inc.2016. Internet Grows to 314 Million Domain Names in the Fourth Quarter of 2015. (April 2016). Retrieved from https://www.verisign.com/assets/press-release-DNIB-april2016.pdf.Google Scholar
R. Villamarin-Salomon and J. C. Brustoloni. 2008. Identifying botnets using anomaly detection techniques applied to DNS traffic. In Proceedings of the IEEE Consumer Communications and Networking Conference. 476--481.Google Scholar
Ricardo Villamarín-Salomón and José Carlos Brustoloni. 2009. Bayesian bot detection based on DNS traffic similarity. In Proceedings of the ACM Symposium on Applied Computing. 2035--2041. Google ScholarDigital Library
VirusTotal, Subsidiary of Google. VirusTotal—Free online virus, malware, and URL scanner. Retrieved from https://www.virustotal.com/.Google Scholar
Qiong Wei and Roland L. Dunbrack, Jr. 2013. The role of balanced training and testing data sets for binary classifiers in bioinformatics. PLOS ONE 8 (07 2013), 1--12.Google Scholar
Florian Weimer. 2005. Passive DNS replication. In Proceedings of the Conference on Computer Security Incident. 98.Google Scholar
Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel. 2010. Is the internet for porn? An insight into the online adult industry. In Proceedings of the Annual Workshop on the Economics of Information Security.Google Scholar
Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant. 2016. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. arXiv:arXiv:1611.00791.Google Scholar
Steven Wright. 2012. Cybersquatting at the intersection of internet domain names and trademark law. IEEE Commun. Surveys Tutor. 14, 1 (2012), 193--205.Google ScholarCross Ref
Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2010. Detecting algorithmically generated malicious domain names. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 48--61. Google ScholarDigital Library
Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2012. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20, 5 (2012), 1663--1677. Google ScholarDigital Library
Sandeep Yadav and A. L. Narasimha Reddy. 2011. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of the International ICST Conference Security and Privacy in Communication Networks. 446--459.Google Scholar
Ting-Fang Yen and Michael K. Reiter. 2008. Traffic aggregation for malware detection. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 207--227. Google ScholarDigital Library
Bin Yu, Les Smith, and Mark Threefoot. 2014. Semi-supervised time series modeling for real-time flux domain detection on passive DNS traffic. In Proceedings of the International Conference Machine Learning and Data Mining in Pattern Recognition. 258--271.Google ScholarCross Ref
Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. 2007. Passive monitoring of DNS anomalies. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 129--139. Google ScholarDigital Library
Jialong Zhang, Sabyasachi Saha, Guofei Gu, Sung-Ju Lee, and Marco Mellia. 2015. Systematic mining of associated server herds for malware campaign discovery. In Proceedings of the IEEE International Conference on Distributed Computing Systems. 630--641.Google ScholarCross Ref
F. Zhao, Y. Hori, and K. Sakurai. 2007. Analysis of privacy disclosure in DNS query. In Proceedings of the International Conference on Multimedia and Ubiquitous Engineering. 952--957. Google ScholarDigital Library
Xiaojin Zhu. 2005. Semi-Supervised Learning Literature Survey. Technical Report 1530. Computer Science, University of Wisconsin-Madison.Google Scholar
Futai Zou, Siyu Zhang, Weixiong Rao, and Ping Yi. 2015. Detecting malware based on DNS graph mining. Int. J. Distrib. Sensor Netw. 2015 (2015). Google ScholarDigital Library
Hiba Zuhair, Ali Selamat, and Mazleena Salleh. 2016. Feature selection for phishing detection: A review of research. Int. J. Intell. Syst. Technol. Appl. 15, 2 (May 2016), 147--162. Google ScholarDigital Library

Index Terms

A Survey on Malicious Domains Detection through DNS Data Analysis

Recommendations

Discovering Malicious Domains through Passive DNS Data Graph Analysis
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Malicious domains are key components to a variety of cyber attacks. Several recent techniques are proposed to identify malicious domains through analysis of DNS data. The general approach is to build classifiers based on DNS-related local domain ...
Read More
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent Systems

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Read More
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and Programming

Bonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 51, Issue 4
July 2019
765 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3236632
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611
Issue’s Table of Contents
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 July 2018
- Revised: 1 February 2018
- Accepted: 1 February 2018
- Received: 1 August 2017
Published in csur Volume 51, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Malicious domains detection
domain name system
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 100
  Total Citations
  View Citations
- 1,991
  Total Downloads
- Downloads (Last 12 months)309
- Downloads (Last 6 weeks)26
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A Survey on Malicious Domains Detection through DNS Data Analysis

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Discovering Malicious Domains through Passive DNS Data Graph Analysis

DGA-based malware detection using DNS traffic analysis

Formulistic Detection of Malicious Fast-Flux Domains