Browse > Article
http://dx.doi.org/10.13089/JKIISC.2016.26.2.405

A Proactive Inference Method of Suspicious Domains  

Kang, Byeongho (AhnLab)
YANG, JISU (AhnLab)
So, Jaehyun (AhnLab)
Kim, Czang Yeob (AhnLab)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.26, no.2, 2016 , pp. 405-413 More about this Journal
Abstract
In this paper, we propose a proactive inference method of finding suspicious domains. Our method detects potential malicious domains from the seed domain information extracted from the TLD Zone files and WHOIS information. The inference process follows the three steps: searching the candidate domains, machine learning, and generating a suspicious domain pool. In the first step, we search the TLD Zone files and build a candidate domain set which has the same name server information with the seed domain. The next step clusters the candidate domains by the similarity of the WHOIS information. The final step in the inference process finds the seed domain's cluster, and make the cluster as a suspicious domain set. In experiments, we used .COM and .NET TLD Zone files, and tested 10 seed domains selected by our analysts. The experimental results show that our proposed method finds 55 suspicious domains and 52 true positives. F1 scores 0.91, and precision is 0.95 We hope our proposal will contribute to the further proactive malicious domain blacklisting research.
Keywords
Suspicious Domain Inference; Proactive Detection; DNS Zone File; WHOIS Information; Machine Learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Jian Zhan, Phillip Porras, and Johannes Ullrich, "Highly Predictive Blacklisting," Proceedings of the 17th USENIX Security Symposium, pp. 107-122, Jul. 2008.
2 Mark Felegyhazi, Christian Kreibich, and Vern Paxson, "On the Potential of Proactive Domain Blacklisting," Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats (LEET '10), pp. 6-13, Apr. 2010.
3 Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker, "Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs," Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 1245-1254, Jun. 2009.
4 Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi, "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis," Proceedings of 18th Annual Network and Distributed System Security Symposium (NDSS), Feb. 2011.
5 M. Patrick Collins, Timothy J. Shimeall, Sidney Faber, Jeff Janies, Rhiannon Weaver, Markus De Shon, and Joseph B. Kadane, "Using Uncleanliness to Predict Future Botnet Addresses," Proceedings of the 7th SIGCOMM Conference on Internet Measurement, pp. 93-104, Aug. 2007.
6 Yuanchen He, Zhenyu Zhong, Sven Krasser, and Yuchun Tang, "Mining DNS for Malicious Domain Registrations," Proceedings of the 6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), pp. 1-6, Oct. 2010.
7 Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou II, and David Dagon, "Detecting Malware Domains at the Upper DNS Hierarchy," Proceedings of the 20th USENIX Security Symposium, pp. 16-30, Aug. 2011.
8 Aditya Kapoor, and Rachit Mathur, "Predicting the Future of Stealth Attacks," Proceedings of the 21st Virus Bulletin International Conference (VB2011), pp. 5-7, Oct. 2011.
9 Byeongho Kang, TaeGuen Kim, BooJoong Kang, Eul Gyu Im, and Minsoo Ryu, "TASEL: Dynamic Taint Analysis with Selective Control Dependency," Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems (RACS), pp. 272-277, Oct. 2014.
10 Byeongho Kang, and Eul Gyu Im, "Analysis of Binary Code Topology for Dynamic Analysis," Proceedings of the 29th ACM Symposium on Applied Computing (SAC), pp. 1731-1732, Mar. 2014.
11 Byeongho Kang, JISU YANG, Jaehyun So, and Czang Yeob Kim, "Detecting Trigger-based Behaviors in Botnet Malware," Proceedings of the 2015 Research in Adaptive and Convergent Systems (RACS), pp. 274-279, Oct. 2015.
12 VeriSign, Zone Files for Top Level Domains (TLDs), http://www.verisigninc.com/en_US/channel-resources/domain-registry-products/zone-file/index.xhtml VeriSign
13 APWG, Global Phishing Survey 2H2014, http://apwg.org/download/document/245/APWG_Global_Phishing_Report_2H_2014.pdf
14 Abhijit Bose, Xin Hu, Kang G. Shin, and Taejoon Park, "Behavioral Detection of Malware on Mobile Handsets," Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services (MobiSys '08), pp. 225-238, Jun. 2008.
15 Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo, "Unsupervised Anomaly-Based Malware Detection using Hardware Features," Research in Attacks, Intrusions, and Defenses, pp. 109-129, Sep. 2014.
16 Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken, "Apposcopy: Semantics-based Detection of Android Malware through Static Analysis," Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014), pp. 576-587, Nov. 2014.
17 Robert Edward Lewand, Cryptological Mathematics, The Mathematical Association of America, Dec. 2000.
18 Hyunsang Choi, Bin B. Zhu, and Heejo Lee, "Detecting Malicious Web Links and Identifying Their Attack Types," Proceedings of the 2nd USENIX Conference on Web Application Development (WebApps '11), pp. 125-136, Jun. 2011.
19 Kyle Zeeuwen, Matei Ripeanu, and Konstantin Beznosov, "Improving Malicious URL Re-Evaluation Scheduling through an Empirical Study of Malware Download Centers," Proceedings of the 2011 Joint WICOW/AIRWeb Workshop on Web Quality (WebQuality 2011), pp. 42-49, Mar. 2011.
20 Bhimshankar Mantur, Abhijeet Desai, K.S. Nagegowda, "Centralized Control Signature-Based Firewall and Statistical-Based Network Intrusion Detection System (NIDS) in Software Defined Networks (SDN)," Emerging Research in Computing, Information, Communication and Applications, pp. 497-506, Jul. 2015.