ANCS: Automatic NXDomain Classification System Based on Incremental Fuzzy Rough Sets Machine Learning

Abstract

Botmasters generate a large number of malicious algorithmically generated domains (mAGDs) through domain generation algorithms (DGAs) to infect a large number of hosts on a network, which creates inconvenience in people's network lives. The workload of detecting mAGDs by collecting the responses of the domain name system (DNS) is considerable. In this article, we propose a system named the automatic NXDomain classification system (ANCS) that can automatically identify and classify the nonexistent domain (NXD) as benign or malicious by studying the features extracted from benign NXDs (bNXDs) and mAGDs. The ANCS uses online, incremental, and fuzzy rough sets machine learning to improve the time, memory, false positive rate, false negative rate, and accuracy of the detection process. First, an online and incremental algorithm can reduce the training time. Second, the addition of fuzzy rough sets can dynamically adjust the degree of the membership function, optimizing the weight distribution of each feature, and further, improving the classification accuracy. The experimental evaluation shows that the ANCS can reach a very high classification accuracy at a low false positive rate and a low false negative rate, which has good practicability. Moreover, both time and memory are well guaranteed, and the ANCS also has good generalization performance, making up for sensitive points of noisy samples and the lack of nonincremental machine learning.