论文信息 - MalHunter: Performing a Timely Detection on Malicious Domains via a Single DNS Query

MalHunter: Performing a Timely Detection on Malicious Domains via a Single DNS Query

Domain names have been abused for illicit online activities for decades. A wealth of effort has been devoted to detect malicious domains in the past. However, these works primarily identify suspicious DNS behaviors (e.g., lookup patterns, resolution graphs) to distinguish legitimate domains from malicious ones. Whereas, these behaviors can only be observed after malicious activity is already underway, thus are often too late to prevent miscreants from reaping benefits of the attacks, delaying detection. In this paper, we propose MalHunter, a timely detection technique that determines a domain’s reputation via only a single DNS query. We base it on the insight that miscreants need to host malicious domains on IPs that they control, which makes different malicious domains are commonly hosted on the same IPs and creates intrinsic associations. To capture these inherent associations, we employ a deep neural network architecture based method, thus making it possible for detecting malicious domains via only a single DNS query. We evaluate MalHunter using real-world DNS traffic collected from three large ISP networks in China over two months. Compared to previous approaches, our method significantly reduces the time delay of detection from days or weeks to approximate ten microseconds while maintaining as high detection accuracy.

Yongzheng Zhang | Xiaochun Yun | Chengwei Peng | Shuhao Li

[1] Nick Feamster,et al. PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration , 2016, CCS.

[2] Omer Levy,et al. word2vec Explained: deriving Mikolov et al.'s negative-sampling word-embedding method , 2014, ArXiv.

[3] Hassen Saïdi,et al. A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[4] Johannes Bader,et al. A Comprehensive Measurement Study of Domain Generating Malware , 2016, USENIX Security Symposium.

[5] Leyla Bilge,et al. Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[6] Jun Xiao,et al. Discovering Malicious Domains through Alias-Canonical Graph , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[7] Babak Rahbarinia,et al. Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[8] J. Kiefer,et al. Stochastic Estimation of the Maximum of a Regression Function , 1952 .

[9] Ting Yu,et al. Discovering Malicious Domains through Passive DNS Data Graph Analysis , 2016, AsiaCCS.

[10] Sandeep Yadav,et al. Detecting Malicious Domains via Graph Inference , 2014, AISec '14.

[11] Chris Kanich,et al. The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.