Method for Detecting a Malicious Domain by Using WHOIS and DNS Features

Damages caused by targeted attacks are a serious problem. It is not enough to prevent only the initial infections, because techniques for targeted attacks have become more sophisticated every year, especially those seeking to illegally acquire confidential information. In a targeted attack, various communications are performed between the command and control server (C&C server) and the local area network (LAN), including the terminal infected with malware. Therefore, it is possible to find the infected terminal in the LAN by monitoring the communications with the C&C server. In this study, we propose a method for identifying the C&C server by using supervised machine learning and the feature points obtained from WHOIS and the DNS of domains of C&C servers and normal domains. Moreover, we conduct an experiment that applies real data, and we verify the usefulness of our method by a cross-validation method. As a result of the experiment, we could obtain a high detection rate of about 98.5%.

[1]  Dae-il Jang,et al.  Analysis of HTTP2P botnet: case study waledac , 2009, 2009 IEEE 9th Malaysia International Conference on Communications (MICC).

[2]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[3]  Meng-Han Tsai,et al.  C&C tracer: Botnet command and control behavior tracing , 2011, 2011 IEEE International Conference on Systems, Man, and Cybernetics.

[4]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[5]  Vern Paxson,et al.  On the Potential of Proactive Domain Blacklisting , 2010, LEET.

[6]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.