Defending Internet of Things Against Malicious Domain Names using D-FENS

Malicious domain names have long been pervasive in the global DNS (Domain Name System) infrastructure and lend themselves to undesirable activities such as phishing or even DNS-based attacks like distributed denial-of-service (DDoS) and DNS rebinding. With the rise and explosive growth of the Internet of Things (IoT), adversaries are exploiting these devices which typically lack security measures to launch DNS-based attacks through malicious domain names. Typical countermeasures against such malicious domain names employ blacklists and whitelists to determine which domain names should be resolved. While these domain lists offer fast lookup times, they require carefully curated and up-to-date information which tends to fall short of detecting newly-registered malicious domain names. In this work, we present a system called D-FENS (DNS Filtering & Extraction Network System) which works in tandem with blacklists and features a live DNS server and binary classifier to accurately predict unreported malicious domain names. The D-FENS classifier model operates at the character-level and leverages the use of deep learning architectures such as Convolutional Neural Networks (CNN) and Long Short-Term Memory networks (LSTM) for real-time classification which forgoes the need for feature-engineering typically associated with traditional machine learning approaches. Sourcing from free and open datasets, we evaluate our system and achieve a 0.95 area under the receiver operating characteristic curve for binary classification. By accurately predicting unreported malicious domain names in real-time, D-FENS prevents Internet-connected systems from unknowingly connecting to potentially malicious domain names.