Mining DNS for malicious domain registrations

6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010) Pub Date : 2010-10-01 DOI:10.4108/ICST.COLLABORATECOM.2010.5

Yuanchen He, Zhenyu Zhong, S. Krasser, Yuchun Tang

{"title":"Mining DNS for malicious domain registrations","authors":"Yuanchen He, Zhenyu Zhong, S. Krasser, Yuchun Tang","doi":"10.4108/ICST.COLLABORATECOM.2010.5","DOIUrl":null,"url":null,"abstract":"Millions of new domains are registered every day and the many of them are malicious. It is challenging to keep track of malicious domains by only Web content analysis due to the large number of domains. One interesting pattern in legitimate domain names is that many of them consist of English words or look like meaningful English while many malicious domain names are randomly generated and do not include meaningful words. We show that it is possible to transform this intuitive observation into statistically informative features using second order Markov models. Four transition matrices are built from known legitimate domain names, known malicious domain names, English words in a dictionary, and based on a uniform distribution. The probabilities from these Markov models, as well as other features extracted from DNS data, are used to build a Random Forest classifier. The experimental results demonstrate that our system can quickly catch malicious domains with a low false positive rate.","PeriodicalId":354101,"journal":{"name":"6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"33","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4108/ICST.COLLABORATECOM.2010.5","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 33

Abstract

Millions of new domains are registered every day and the many of them are malicious. It is challenging to keep track of malicious domains by only Web content analysis due to the large number of domains. One interesting pattern in legitimate domain names is that many of them consist of English words or look like meaningful English while many malicious domain names are randomly generated and do not include meaningful words. We show that it is possible to transform this intuitive observation into statistically informative features using second order Markov models. Four transition matrices are built from known legitimate domain names, known malicious domain names, English words in a dictionary, and based on a uniform distribution. The probabilities from these Markov models, as well as other features extracted from DNS data, are used to build a Random Forest classifier. The experimental results demonstrate that our system can quickly catch malicious domains with a low false positive rate.

查看原文本刊更多论文

挖掘DNS恶意域名注册

每天都有数百万个新域名注册，其中许多都是恶意域名。由于恶意域的数量众多，仅通过Web内容分析来跟踪恶意域具有一定的挑战性。合法域名中一个有趣的模式是，许多域名由英语单词组成，或者看起来像有意义的英语，而许多恶意域名是随机生成的，不包括有意义的单词。我们表明，可以使用二阶马尔可夫模型将这种直观的观察转化为统计信息特征。四个转换矩阵是根据已知的合法域名、已知的恶意域名、字典中的英语单词以及基于均匀分布构建的。这些马尔可夫模型的概率，以及从DNS数据中提取的其他特征，用于构建随机森林分类器。实验结果表明，该系统可以快速捕获恶意域，误报率低。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010)

自引率

0.00%

发文量