Attributed Heterogeneous Graph Neural Network for Malicious Domain Detection

Abstract

Malicious activities on the Internet are one of the most dangerous threats to users and organizations. Because of the flexibility a nd accessibility of domains, cyber criminals often utilize them to launch cyber attacks such as phishing or malware. Most of traditional malicious domain detection methods rely on feature engineering to learn the patterns of malicious domains. However, these methods can be easily evaded by some sophisticated evasion techniques such as Domain-flux or Fast-flux. Some recent studies utilized graph-based models to infer malicious domains and achieved better performance, yet without a fine-grained modeling of DNS scenarios. In this paper, we propose an attributed heterogeneous graph neural network model, GAMD, to detect malicious domains in a semi-supervised learning paradigm. Concretely, we utilize attributed heterogeneous information network to model the DNS scenarios with different types of nodes including domain, host, resolved-IP and different types of relation, such as request and resolution relations. We then design a fine-grained node type-aware feature transformation and edge type-aware aggregation mechanism to fuse the node attributes and structure information simultaneously and complete the inference over DNS graphs. In the experiments, we evaluate the performance of our model on a large-scale realworld passive DNS data and show that the proposed method outperforms the state-of-the-art in most evaluation metrics.