Abstract
Malicious domain names usually refer to a series of illegal activities, posing threats to people's privacy and property. Therefore, the problem of detecting malicious domain names has aroused widespread concerns. In this study, a malicious domain names detection algorithm based on lexical analysis and feature quantification is proposed. To achieve efficient and accurate detection, the method includes two phases. The first phase checks an observed domain name against a blacklist of known malicious uniform resource locator (URLs). The observed domain name is classified as being definitely malicious or potentially malicious based on its edit distances to the domain names on the blacklist. The second phase further evaluates a potential malicious domain name by its reputation value that represents its lexical feature and is calculated based on an N-gram model. The top 100,000 normal domain names in Alexa are used to obtain a whitelist substring set using the N-gram method in which each domain name excluding the top-level domain is segmented into substrings with the length of 3, 4, 5, 6 and 7. The weighted values of the substrings are calculated according to their occurrence counts in the whitelist substring set. A potential malicious domain name is segmented by the N-gram method and its reputation value is calculated based on the weighted values of its substrings. Finally, the potential malicious domain name is determined to be malicious or normal based on its reputation value. The effectiveness of the proposed detection method has been demonstrated by experiments on public available data.
Highlights
Malicious domain names are widely used by attackers for illegal activities in Domain Name System (DNS)
OVERVIEW Fig. 1 presents the architecture of malicious domain names detection algorithm based on lexical analysis and feature quantification, which consists of two components: construction of domain name whitelist substring set and detection of malicious domain names
The observed domain name is identified as malicious if its edit distance to the domain names on the blacklist is less than a threshold value, otherwise it is considered to be potential malicious
Summary
Malicious domain names are widely used by attackers for illegal activities in Domain Name System (DNS). As shown in some reports [1], [2]. The number of malicious domain names has grown to the point where they cannot be ignored. The detection of malicious domain names plays a major role in ensuring the network security. DNS, a core component of the Internet that provides flexible decoupling of a service’s domain name and the hosting IP addresses, has been widely used in network communications, e-business, and mess media [3]. Almost all Internet applications need to use DNS to resolve domain names and achieve
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
