Malware detection using DNS records and domain name features

As billions of people depend on Internet application to perform day to day tasks, the prevalent of malwares and online attacks cause a huge loss to global Internet economy prevalent. Domain name system is one of the core components of the Internet, which allows users to type in website names and resolves them to Internet addresses. Several studies proposed using DNS for malware detection, because it is the first step before visiting a specific website. Unfortunately, majority focused on malicious URLs back listing, botnets, top-level-domain, DNS and resolvers. This paper proposes a system to detect malicious domain names, by using eight unique features that accurately identify malicious websites before being visited. We implemented our approach of malicious domain names detection using Python, and experimented with five weeks of real-world data using Weka. The experimental results reports a 77.5% and low false positive rates 22.4%. That is very promising considering the approach detect website based on feature calculated based on URL and without downloading the file.

[1]  Amr M. Youssef,et al.  Detection of malicious payload distribution channels in DNS , 2014, 2014 IEEE International Conference on Communications (ICC).

[2]  Monther Aldwairi,et al.  Detecting Malware Domains: A Cyber-Threat Alarm System , 2017, AFRICATEK.

[3]  Nick Feamster,et al.  Monitoring the initial DNS behavior of malicious domains , 2011, IMC '11.

[4]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[5]  Ian H. Witten,et al.  Data mining - practical machine learning tools and techniques, Second Edition , 2005, The Morgan Kaufmann series in data management systems.

[6]  Ian Witten,et al.  Data Mining , 2000 .

[7]  C LakshmiDevasena,et al.  Comparative Analysis of Random Forest, REP Tree and J48 Classifiers for Credit Risk Prediction , 2015 .

[8]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[9]  Etienne Stalmans,et al.  A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[10]  M. Aldwairi,et al.  Baeza-Yates and Navarro approximate string matching for spam filtering , 2012, Second International Conference on the Innovative Computing Technology (INTECH 2012).

[11]  Monther Aldwairi,et al.  Detection of Drive-by Download Attacks Using Machine Learning Approach , 2017, Int. J. Inf. Secur. Priv..

[12]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[13]  Monther Aldwairi,et al.  GFlux: A google-based system for Fast Flux detection , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[14]  Feras Al-Obeidat,et al.  Opinions Sandbox: Turning Emotions on Topics into Actionable Analytics , 2017, AFRICATEK.

[15]  B. Wu,et al.  Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis , 2015, IEEE Access.

[16]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[17]  Monther Aldwairi,et al.  Efficient Wu-Manber Pattern Matching Hardware for Intrusion and Malware Detection , 2020, ArXiv.

[18]  Monther Aldwairi,et al.  Automated malicious advertisement detection using VirusTotal, URLVoid, and TrendMicro , 2017, 2017 8th International Conference on Information and Communication Systems (ICICS).

[19]  Wei Wang,et al.  Breaking Bad: Detecting malicious domains using word segmentation , 2015, ArXiv.

[20]  Monther Aldwairi,et al.  Dynamic malware analysis of phishing emails , 2018, 2018 9th International Conference on Information and Communication Systems (ICICS).

[21]  Monther Aldwairi,et al.  MALURLs: Malicious URLs Classification System , 2011 .

[22]  Shouhuai Xu,et al.  Analyzing DNS activities of bot processes , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).