作者: Issa Khalil , Ting Yu , Bei Guan
关键词:
摘要: Malicious domains are key components to a variety of cyber attacks. Several recent techniques proposed identify malicious through analysis DNS data. The general approach is build classifiers based on DNS-related local domain features. One potential problem that many features, e.g., name patterns and temporal patterns, tend be not robust. Attackers could easily alter these features evade detection without affecting much their attack capabilities. In this paper, we take complementary approach. Instead focusing propose discover analyze global associations among domains. challenges (1) meaningful domains; (2) use reason about the maliciousness For first challenge, advantage modus operandi attackers. To avoid detection, exhibit dynamic behavior by, for example, frequently changing domain-IP resolutions creating new This makes it very likely attackers reuse resources. It indeed commonly observed over period time multiple hosted same IPs host domains, which creates intrinsic association them. second develop graph-based inference technique associated Our intuition having strong with known malicious. Carefully established enable discovery large set using small previously ones. experiments public passive database show can achieve high true positive rates (over 95%) while maintaining low false (less than 0.5%). Further, even (a couple hundreds), our (in scale up tens thousands).