Adopting Machine Learning to Support the Detection of Malicious Domain Names

Abstract

Nowadays there are many Domain Name System (DNS) firewall solutions to prevent users to access malicious domains. These can provide real time protection and block illegitimate communications. Most of these solutions are based on known malicious domain names lists (blocklists) that are being constantly updated. However, this way, it is only possible to block malicious communications for known malicious domains, leaving out many others that are malicious but have not yet been updated in the blocklists. In this paper we present a study on the usefulness of adopting machine learning to detect malicious domain names. From a large set of domain names classified in-advance as malicious or benign an enriched dataset with multiple features was created and analyzed. The exploratory analysis and the data preparation tasks were carried out and the results achieved by different machine learning classification algorithms. Depending on the classification algorithm, the accuracy results varied between 75% and 92% and the classification time ranged between 2.77 seconds and 5320 seconds. These results are interesting in that they make it possible to classify a new domain as malicious or not in a short time and with good hit rate.