Malicious Domain Detection Research Articles

MDD-FedGNN: A vertical federated graph learning framework for malicious domain detection

The domain name system (DNS) serves as a fundamental component of the Internet infrastructure, but it is also exploited by attackers in various cyber-crimes, underscoring the significance of malicious domain detection (MDD). Recent advances show that graph-based models exhibit potential for inferring malicious domains and demonstrate superior performance. However, acquiring large-scale and high-quality graph datasets for MDD proves challenging for individual security institutes. Hence, a promising research direction involves employing vertical federated graph learning scheme to unite diverse security institutes and enhance local datasets resulting in more robust and powerful detection models. Nonetheless, directly applying vertical federated graph neural networks for MDD confronts challenges posed by noisy labels and noisy edges among security institutes, which ultimately diminish detection performance. This paper introduces a novel vertical federated learning framework, called MDD-FedGNN, that applies contrastive learning with two different encoders to deal with noisy labels and employs a new loss function based on the information bottleneck theory to handle noisy edges. Comparative experiments are conducted on a publicly available DNS dataset to evaluate the effectiveness of MDD-FedGNN in addressing the challenges of noisy labels and edges in vertical federated graph learning. The results demonstrate that MDD-FedGNN outperforms baseline methods, confirming the feasibility of training more powerful malicious domain detection models through data sharing and vertical federated learning among different security agencies.

Malicious domain detection based on semi‐supervised learning and parameter optimization

AbstractMalicious domains provide malware with covert communication channels which poses a severe threat to cybersecurity. Despite the continuous progress in detecting malicious domains with various machine learning algorithms, maintaining up‐to‐date various samples with fine‐labeled data for training is difficult. To handle these issues and improve the detection accuracy, a novel malicious domain detection method named MDND‐SS‐PO is proposed that combines semi‐supervised learning and parameter optimization. The contributions of the study are as follows. First, the method extracts the statistical features of the IP address, TTL value, the NXDomain record, and the domain name query characteristics to discriminate Domain‐Flux and Fast‐Flux domain names simultaneously. Second, an improved DBSCAN based on the neighborhood division is designed to cluster labeled data and unlabeled data with low time consumption. Then, based on the clustering hypothesis, unlabeled data is tagged with pseudo‐label according to the cluster results, which aims to train a supervised classifier effectively. Finally, Gaussian process regression is used to optimize parameter settings of the algorithm. And the Silhouette index and F1 score are introduced to evaluate the optimization results. Experimental results show that the proposed method achieved a precise detection performance of 0.885 when the ratio of labeled data is 5%.

DDOFM: Dynamic malicious domain detection method based on feature mining

The domain name system is an essential part of the network, and target hosts are often attacked by malicious domain names to steal resources. Some traditional detection methods have low accuracy, poor generalization ability, and high resource overhead on model construction to deal with complex and variable malicious domain names. A three-level dynamic malicious domain detection method (DDOFM) is proposed in this paper. DDOFM only needs to combine a few high-order statistical features of benign domains with some DNS features, without flagging malicious samples and involving them in training. Firstly, the boundary recognition of passive DNS (PDNS) features extracted from DNS traffic is carried out to conduct an early- warning for some domains. Second, the Hidden Markov Model (HMM) forward algorithm and normal distribution probability density function are used to calculate the formation probabilities of the warned domains and their probability density values. Then the probabilities of every character in the warned domain name and the standard deviation between these probabilities are counted. Further, the probability density values and the standard deviations of these warned domain names are compared with their respective thresholds to identify the attribution of the warned domain names. Finally, if the domain name is not warned, the Jensen–Shannon divergence (JS divergence) between it and the previous domain name will be calculated. Then the local iterative threshold finding algorithm (LLTFA) proposed in this paper will be combined to determine its attribution and identify whether the host is connected to the command and control (C&C) server. Experiments show that the detection indexes of this method exceed 99% for multiple types of malicious domain names. The C&C servers can also be identified by DDOFM faster than similar methods.

Natural language based malicious domain detection using machine learning and deep learning

Cyberattacks are still challenging since they are increasing day by day. Cybercriminals employ a variety of strategies to manipulate and exploit their targets vulnerabilities. Malicious URLs are one such strategy which is used to target large groups on various social media platforms. To draw internet users, these web addresses are disguised as being safe. Deliberate or inadvertent use of such URLs exposes the user or the organization in the cyberspace and opens the way for further attacks. Systems that use rules-based or machine learning algorithms to find malicious URLs usually rely on feature engineering. This requires domain expertise and experience. Sometimes, even after extracting features from a dataset, it may not completely leverage the potential of the dataset. The proposed method employs Natural Language Processing (NLP) approaches to vectorize the words in the URLs and applies machine learning and deep learning models for classification. Vectorization technique in NLP reduces the effort of feature engineering and maximizing the use of the dataset. For the experiment, two separate datasets are used. To vectorize the URL text, three different vectorization methods are used. To evaluate the performance of the proposed method, two different datasets (D1 and D2) that are regularly utilized in the research domain were used. The results demonstrate that the superior accuracy of 92.4 % with the D1 dataset is achieved by the Decision Tree (DT) with count vectorizer and the Random Forest (RF) with Term Frequency-Inverse Document Frequency (TF-IDF) vectorizer. With the D2 dataset, DT with TF-IDF vectorizer obtains a greater accuracy of 99.5 %. The Artificial Neural Network (ANN) model achieves 89.6 % accuracy with the D1 dataset and 99.2 % accuracy with the D2 dataset.

HANDOM: Heterogeneous Attention Network Model for Malicious Domain Detection

Malicious domains are crucial vectors for attackers to conduct malicious activities. With the increasing numbers in domain-based attack activities and the enhancement of attacker evasion methods, the detection of malicious domains has become critical and increasingly difficult. Statistical feature-based and graph structure-based detection methods are mainstream technical approaches. However, highly hidden domains can escape feature detection, and the detection range of graph structure-based methods is limited. Based on these, we propose a malicious detection method called HANDOM. HANDOM combines statistical features and graph structural information to neutralize their limitations, and uses the Heterogeneous Attention Network (HAN) model to jointly handle both information to achieve high-performance malicious domain classification. We conduct experimental evaluations on real-world datasets and compare HANDOM with machine learning methods and other malicious detection methods. The results present that HANDOM has superior and robust performance, and can identify highly hidden domains.

PUMD: a PU learning-based malicious domain detection framework

Domain name system (DNS), as one of the most critical internet infrastructure, has been abused by various cyber attacks. Current malicious domain detection capabilities are limited by insufficient credible label information, severe class imbalance, and incompact distribution of domain samples in different malicious activities. This paper proposes a malicious domain detection framework named PUMD, which innovatively introduces Positive and Unlabeled (PU) learning solution to solve the problem of insufficient label information, adopts customized sample weight to improve the impact of class imbalance, and effectively constructs evidence features based on resource overlapping to reduce the intra-class distance of malicious samples. Besides, a feature selection strategy based on permutation importance and binning is proposed to screen the most informative detection features. Finally, we conduct experiments on the open source real DNS traffic dataset provided by QI-ANXIN Technology Group to evaluate the PUMD framework’s ability to capture potential command and control (C&C) domains for malicious activities. The experimental results prove that PUMD can achieve the best detection performance under different label frequencies and class imbalance ratios.

N-Trans: Parallel Detection Algorithm for DGA Domain Names

Domain name generation algorithms are widely used in malware, such as botnet binaries, to generate large sequences of domain names of which some are registered by cybercriminals. Accurate detection of malicious domains can effectively defend against cyber attacks. The detection of such malicious domain names by the use of traditional machine learning algorithms has been explored by many researchers, but still is not perfect. To further improve on this, we propose a novel parallel detection model named N-Trans that is based on the N-gram algorithm with the Transformer model. First, we add flag bits to the first and last positions of the domain name for the parallel combination of the N-gram algorithm and Transformer framework to detect a domain name. The model can effectively extract the letter combination features and capture the position features of letters in the domain name. It can capture features such as the first and last letters in the domain name and the position relationship between letters. In addition, it can accurately distinguish between legitimate and malicious domain names. In the experiment, the dataset is the legal domain name of Alexa and the malicious domain name collected by the 360 Security Lab. The experimental results show that the parallel detection model based on N-gram and Transformer achieves 96.97% accuracy for DGA malicious domain name detection. It can effectively and accurately identify malicious domain names and outperforms the mainstream malicious domain name detection algorithms.

A Malicious Domain Detection Model Based on Improved Deep Learning.

With the rapid development of the Internet, malicious domain names pose more and more serious threats to many fields, such as network security and social security, and there have been many research results on malicious domain detection. This article proposes a malicious domain name detection model based on improved deep learning, which can combine the advantages of three different network models, convolutional neural network (CNN), temporal convolutional network (TCN), and long short-term memory network (LSTM) in malicious domain name detection, to obtain a better detection effect than that of the original single or two models. Experiments show that the effect of the improved deep learning model proposed in this article is better than that of the combined model of CNN and LSTM or the combined model of CNN and TCN, and the accuracy and regression rates reached 99.76% and 98.81%, respectively.

Interpretable Machine Learning Models for Malicious Domains Detection Using Explainable Artificial Intelligence (XAI)

With the expansion of the internet, a major threat has emerged involving the spread of malicious domains intended by attackers to perform illegal activities aiming to target governments, violating privacy of organizations, and even manipulating everyday users. Therefore, detecting these harmful domains is necessary to combat the growing network attacks. Machine Learning (ML) models have shown significant outcomes towards the detection of malicious domains. However, the “black box” nature of the complex ML models obstructs their wide-ranging acceptance in some of the fields. The emergence of Explainable Artificial Intelligence (XAI) has successfully incorporated the interpretability and explicability in the complex models. Furthermore, the post hoc XAI model has enabled the interpretability without affecting the performance of the models. This study aimed to propose an Explainable Artificial Intelligence (XAI) model to detect malicious domains on a recent dataset containing 45,000 samples of malicious and non-malicious domains. In the current study, initially several interpretable ML models, such as Decision Tree (DT) and Naïve Bayes (NB), and black box ensemble models, such as Random Forest (RF), Extreme Gradient Boosting (XGB), AdaBoost (AB), and Cat Boost (CB) algorithms, were implemented and found that XGB outperformed the other classifiers. Furthermore, the post hoc XAI global surrogate model (Shapley additive explanations) and local surrogate LIME were used to generate the explanation of the XGB prediction. Two sets of experiments were performed; initially the model was executed using a preprocessed dataset and later with selected features using the Sequential Forward Feature selection algorithm. The results demonstrate that ML algorithms were able to distinguish benign and malicious domains with overall accuracy ranging from 0.8479 to 0.9856. The ensemble classifier XGB achieved the highest result, with an AUC and accuracy of 0.9991 and 0.9856, respectively, before the feature selection algorithm, while there was an AUC of 0.999 and accuracy of 0.9818 after the feature selection algorithm. The proposed model outperformed the benchmark study.

Browser Based Malicious Domain Detection through Extreme Learning Machine

The main aim of the project is to detect the malicious domains in the internet through Machine learning approaches and is helpful in preventing the cybercrime. For that Extreme Learning Machine(ELM) approach is used to find the malicious domains in the web. The Terms used for the project are Browser application, extreme learning machine, feature selection, malicious domain detection, machine learning, Real-time training. This approach will be helpful in reducing the cybercrime such as harmful websites, fake websites that stores the user information, malicious attack website domains.

Lightweight approach for malicious domain detection using machine learning

The web-based attacks use the vulnerabilities of the end users and their system and perform malicious activities such as stealing sensitive information, injecting malwares, redirecting to malicious sites without their knowledge. Malicious website links are spread through social media posts, emails and messages. The victim can be an individual or an organization and it creates huge money loss every year. Recent Internet Security report states that 83 % of systems in the internet are infected by the malware during the last 12 months due to the users who do not aware of the malicious URL (Uniform Resource Locators) and its impacts. There are some methods to detect and prevent the access malicious domain name in the internet. Blacklist-based approaches, heuristic-based methods, and machine/deep learning-based methods are the three categories. This study provides a machine learning-based lightweight solution to classify malicious domain names. Most of the existing research work is focused on increasing the number of features for better classification accuracy. But the proposed approach uses fewer number of features which include lexical, content based, bag of words, popularity features for malicious domain classification. Result of the experiment shows that the proposed approach performs better than the existing one.

Less Is More: Robust and Novel Features for Malicious Domain Detection

Malicious domains are increasingly common and pose a severe cybersecurity threat. Specifically, many types of current cyber attacks use URLs for attack communications (e.g., C&C, phishing, and spear-phishing). Despite the continuous progress in detecting cyber attacks, there are still critical weak spots in the structure of defense mechanisms. Since machine learning has become one of the most prominent malware detection methods, a robust feature selection mechanism is proposed that results in malicious domain detection models that are resistant to evasion attacks. This mechanism exhibits a high performance based on empirical data. This paper makes two main contributions: First, it provides an analysis of robust feature selection based on widely used features in the literature. Note that even though the feature set dimensional space is cut by half, the performance of the classifier is still improved (an increase in the model’s F1-score from 92.92% to 95.81%). Second, it introduces novel features that are robust with regard to the adversary’s manipulation. Based on an extensive evaluation of the different feature sets and commonly used classification models, this paper shows that models based on robust features are resistant to malicious perturbations and concurrently are helpful in classifying non-manipulated data.

Unsupervised malicious domain detection with less labeling effort

Since malware creates severe damage to the system, past studies leveraged various algorithms to detect malicious domains generated from Domain Generation Algorithms (DGAs). Although they achieved a promising performance, security practitioners had to acquire a large amount of fine-labeled dataset with a particular effort. Throughout the research, we propose a series of analysis to build a novel malicious domain detection method with the autoencoder in an unsupervised approach to overcome this limit. The contributions of our study are as follows. First, we proposed significant feature extraction methods that focused on the domain’s linguistic patterns and validated the proposed set of features effectively discriminate benign domains and malicious domains. Second, we established a malicious domain detection method with the autoencoder only with benign domains provided during the model training. Thus, we let a security practitioner build a malicious domain detection model with less labeling effort. Third, the proposed malicious domain detection model achieved a precise detection performance of 99% accuracy and F1 score. Lastly, our model maintains the aforementioned detection performance, although it is trained with a small training set; thus, the model reduces training dataset accumulation effort. Although our detection model cannot identify malicious domains’ origins, particular types of DGA, we evaluate security practitioners can easily implement a countermeasure against DGAs with less effort. In pursuit of precise malicious domain detection, we expect our study can be a concrete baseline for future works.

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

XLoader and FakeSpy, the two major smishing botnets targeting Japan, change their attack strategies over various timescales. Based on recent observations of the botnets and Twitter data, we present empirical facts about their strategies and activity patterns and applied some of these strategic and activity patterns to malware detection and malicious domain detection. All the proposed methods yielded small false positive and negative rates, and are expected to run on user devices owing to their small computational cost. Recent malware detection methods based on traffic analysis extract TCP/IP traffic features if the upper layers of TCP are encrypted. In this study, Frida’s hooking capability was employed to decode the upper layers (WebSocket and JSON-RPC) to create a list of all commands flowing over the botnet channel. The command-level traffic analysis presents decisive attack features because commands are transmitted according to strategies developed by the attackers. The proposed malicious domain detection method, on the other hand, exploited the tendency of the attackers to create domains in batches. Previous researchers focused on how benign and malicious domains were registered and used on the name servers. The proposed method, on the other hand, focuses on the arrival rate of SMS messages with URL links. The error rates become significantly small when users do not receive such messages very often.

Identifying compromised hosts under APT using DNS request sequences

Advanced persistent threats (APTs) have become a major cyber threat to large organizations. To steal confidential data from specific organizations, attackers adopt highly targeted intrusion schemes. Prior to stealing critical data, APT activities hide themselves in legitimate activities and consistently elevate their privileges, making them very difficult to detect. The detection of malicious domains during domain name service (DNS) analysis accounts for the majority of existing detection methods. However, a limited number of available samples and rapidly changing sets of malicious domain names reduce the efficacy of such approaches. By investigating numerous APT reports, we determined that the activities of DNS requests in APT attacks exhibit clear temporal patterns that are ignored by most existing schemes. Therefore, we can analyze the DNS sequences requested by each host and their time-related features to identify compromised hosts. This paper summarizes the patterns of host DNS requests and proposes several assumptions. We take advantage of machine learning to identify compromised hosts by quantifying these assumptions in the form of feature vectors. We deployed the proposed approach into large-scale network environments and experimental evaluations demonstrated that our method is able to detect hosts compromised by APTs efficiently with a precision of 97.3% and detection rate of 96.2%.

MADMAX: Browser-Based Malicious Domain Detection Through Extreme Learning Machine

Fast and accurate malicious domain detection is an essential research theme to prevent cybercrime, and machine learning is an attractive approach for detecting unseen malicious domains in the past decade. In this paper, we present MADMAX (MAchine learning-baseD MAlicious domain eXhauster) , a browser-based application leveraging extreme learning machine (ELM) for malicious domain detection. In contrast to the existing work of ELM-based domain detection, MADMAX newly introduces two methods, i.e., selection of optimized features to provide higher accuracy and throughput based on permutation importance and real-time training to retrain a model with an updated malicious dataset for continuous malicious domain detection. We demonstrate that MADMAX fairly outperforms the existing work with respect to accuracy and throughput by virtue of the selection of optimized features. Moreover, we also confirm a model with real-time training stably detects even unseen malicious domains, whereas accuracy of a model without the real-time training decreases due to the unseen domains. The source codes of MADMAX is publicly available via GitHub.

Deepdom: Malicious domain detection with scalable and heterogeneous graph convolutional networks

As an essential network service, the Domain Name System (DNS) is widely abused by attackers, making malicious domain detection a crucial task when combating cybercrimes. The increasing sophistication of attackers calls for new detection methods against novel threats and evasions. In this paper, we analyze the DNS scene and design an intelligent malicious domain detection system, named DeepDom. With joint consideration of both domain’s local features and their global associations, DeepDom is more accurate and is harder for attackers to evade. In DeepDom, we first represent the DNS scene as a Heterogeneous Information Network (HIN) with diverse entities like clients, domains, IP addresses, and accounts to capture richer information. Then, considering the heterogeneous and dynamic nature of DNS, we propose a novel Graph Convolutional Network (GCN) method named SHetGCN to inductively classify domain nodes in the HIN. By guiding the convolution operations with meta-path based short random walks, SHetGCN can jointly handle node features together with structural information and support inductive node embedding. We build a prototype of DeepDom and validate its effectiveness with comprehensive experiments over the DNS data collected from a real-world network, CERNET2. The comparison results demonstrate that our approaches outperform other state-of-the-art techniques.

Malicious domain detection based on DNS query using Machine Learning

Malicious domain detection based on DNS query using Machine Learning

Joint detection of malicious domains and infected clients

Detection of malware-infected computers and detection of malicious web domains based on their encrypted HTTPS traffic are challenging problems, because only addresses, timestamps, and data volumes are observable. The detection problems are coupled, because infected clients tend to interact with malicious domains. Traffic data can be collected at a large scale, and antivirus tools can be used to identify infected clients in retrospect. Domains, by contrast, have to be labeled individually after forensic analysis. We explore transfer learning based on sluice networks; this allows the detection models to bootstrap each other. In a large-scale experimental study, we find that the model outperforms known reference models and detects previously unknown malware, previously unknown malware families, and previously unknown malicious domains.

A Survey on Malicious Domains Detection through DNS Data Analysis

Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.