DDOFM: Dynamic malicious domain detection method based on feature mining

Abstract

The domain name system is an essential part of the network, and target hosts are often attacked by malicious domain names to steal resources. Some traditional detection methods have low accuracy, poor generalization ability, and high resource overhead on model construction to deal with complex and variable malicious domain names. A three-level dynamic malicious domain detection method (DDOFM) is proposed in this paper. DDOFM only needs to combine a few high-order statistical features of benign domains with some DNS features, without flagging malicious samples and involving them in training. Firstly, the boundary recognition of passive DNS (PDNS) features extracted from DNS traffic is carried out to conduct an early- warning for some domains. Second, the Hidden Markov Model (HMM) forward algorithm and normal distribution probability density function are used to calculate the formation probabilities of the warned domains and their probability density values. Then the probabilities of every character in the warned domain name and the standard deviation between these probabilities are counted. Further, the probability density values and the standard deviations of these warned domain names are compared with their respective thresholds to identify the attribution of the warned domain names. Finally, if the domain name is not warned, the Jensen–Shannon divergence (JS divergence) between it and the previous domain name will be calculated. Then the local iterative threshold finding algorithm (LLTFA) proposed in this paper will be combined to determine its attribution and identify whether the host is connected to the command and control (C&C) server. Experiments show that the detection indexes of this method exceed 99% for multiple types of malicious domain names. The C&C servers can also be identified by DDOFM faster than similar methods.