MalPortrait: Sketch Malicious Domain Portraits Based on Passive DNS Data

Abstract

Malicious domain detection is of great significance for cybersecurity. Most prior works detect malicious domains based on individual features, which are only related to the attributes of domains themselves and can be easily changed to avoid detection. To solve the problem, we propose a novel system called MalPortrait, which combines individual features and association information of domains to detect malicious domains. In MalPortrait, we show the association information among domains by a domain association graph where vertices represent domains and edges connect domains resolved to the same IP. Based on the graph, we combine individual features (e.g., string-based, network-based) of each domain and its association information to generate new features. Compared with individual features, the new features are harder to be tampered with and can help determine whether a domain is malicious from a more comprehensive perspective. We evaluate MalPortrait on the passive DNS traffic collected from real-world large ISP networks. Our experimental results show that MalPortrait can accurately identify malicious domain names with a precision of 96.8% and a recall of 95.5%. Compared with prior works, MalPortrait performs better and hardly relies on additional knowledge (e.g., IP reputation, Domain whois).