Malicious Domain Detection Using Machine Learning On Domain Name Features, Host-Based Features and Web-Based Features

Abstract

Abstract Internet has plenty of vulnerabilities which are exploited by cyber criminals to send spam, commit financial frauds, perform phishing, indulge in command & control, disseminate malware and other malicious activities. Many times these exploits are carried out through malicious domain names which are the vital part of an Internet resource URL. Few vulnerabilities in the Internet setup and its related administrative policies allows such malicious domain names to be registered with the DNS servers. Though blacklisting happens to be the simplest and quickest solution to identify such malicious domains, the technique cannot cope up with the speed at which the domain names are generated and registered, and hence we look forward for other effective means of identifying malicious domains. The researchers have been using features from DNS data and features from lexical analysis of domain names, but there exists a need to identify more related features and introduce machine-learning to meet challenges due to IP flux and domain flux. In this paper, we have introduced usage of web-based features of domain names in addition to using blacklists, DNS data and lexical features to identify malicious domains. Using the features extracted from the domain names, we build a classifier model using the logistic regression classification algorithm and use that classifier to identify benign and malicious domains. Our experiment is based on active DNS analysis and we look forward to take this work for passive DNS analysis.