The Design and Implementation of a Covering MDN-Complete-Life-Cycle Malicious Domain Detection Framework

Abstract

Malicious domain name (MDN) detection has seen greatly progress in recent years. In this paper, one covering MDN-Complete-Life-Cycle malicious domain name detection framework is proposed. The framework includes three detection models: DGAD-M (Domain Generation Algorithm Detection Model), DIPD-M (Domain IP Detection Model) and DHTD-M (Domain Host Detection Model), corresponding to the process of the malicious domain generation, malicious domain name resolution and the host requesting a domain. DGAD-M bases on the fact that the domains generated by DGA are always short of natural language features, it adopts Convolutional Neural Network. DIPD-M bases on the fact that the IP addresses of the malicious domains are more disperse and updated frequently. DHTD-M bases on the fact that the domains requested by infected hosts are frequently tend to be malicious. The results of DGAD-M and DIPD-M will be used by DHTD-M. The framework got the accuracy rate of 83.652% with the real network flow and found out 115 suspicious malicious domains.