survey

A Survey on Malicious Domains Detection through DNS Data Analysis

Authors:

Yury Zhauniarovich,

Marc DacierAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 51, Issue 4

Article No.: 67, Pages 1 - 36

https://doi.org/10.1145/3191329

Published: 06 July 2018 Publication History

Abstract

Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group.

In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

References

[1]

Anubis. Retrieved from http://anubis.iseclab.org/. Service discontinued.

[2]

Apache Giraph. Retrieved from http://giraph.apache.org/.

[3]

Apache Hadoop. Retrieved from http://hadoop.apache.org/.

[4]

DNSCrypt—Official Project Home Page. Retrieved from https://dnscrypt.org/.

[5]

DomainHistory.net: Detailed domain name information and archives in one place. Retrieved from http://www.domainhistory.net/.

[6]

DomainTools: Whois information. Retrieved from http://whois.domaintools.com/.

[7]

Google Public DNS. Retrieved from https://developers.google.com/speed/public-dns/.

[8]

Google Safe Browsing. Retrieved from https://developers.google.com/safe-browsing/.

[9]

Malware Domain List. Retrieved from https://www.malwaredomainlist.com/.

[10]

McAfee SiteAdvisor. Retrieved from http://www.siteadvisor.com/.

[11]

Norton ConnectSafe. Retrieved from https://dns.norton.com/.

[12]

OpenDNS Premium DNS. Retrieved from https://signup.opendns.com/premiumdns/.

[13]

OpenPhish. Retrieved from https://openphish.com/.

[14]

Shodan: The Search Engine for …Retrieved from https://www.shodan.io/.

[15]

Spamhaus. Retrieved from https://www.spamhaus.org/.

[16]

Team Cymru. Retrieved from http://www.team-cymru.org/.

[17]

The Internet Corporation for Assigned Names and Numbers (ICANN). Retrieved from https://www.icann.org/.

[18]

URLVoid: Website reputation checker tool. Retrieved from http://www.urlvoid.com/.

[19]

Web of Trust (WOT)—Crowdsourced web safety. Retrieved from https://www.mywot.com/.

[20]

Who.is: WHOIS search, domain name, website, and IP tools. Retrieved from https://who.is.

[21]

Yahoo Webspam Database. Retrieved from http://barcelona.research.yahoo.net/webspam/datasets/uk2007/. Service discontinued.

[22]

2002. Vulnerability Note VU#457875: Various DNS service implementations generate multiple simultaneous queries for the same resource record. Retrieved from http://www.kb.cert.org/vuls/id/457875.

[23]

2008. Vulnerability Note VU#800113: Multiple DNS implementations vulnerable to cache poisoning. Retrieved from http://www.kb.cert.org/vuls/id/800113.

[24]

Pieter Agten, Wouter Joosen, Frank Piessens, and Nick Nikiforakis. 2015. Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the Network and Distributed System Security Symposium.

[25]

Alexa. Alexa Top Sites. Retrieved from http://aws.amazon.com/alexa-top-sites/.

[26]

Kamal Alieyan, Ammar Almomani, Ahmad Manasrah, and Mohammed M. Kadhum. 2017. A survey of botnet detection based on DNS. Neural Computing and Applications 28, 7 (2017), 1541--1558.

Digital Library

[27]

Hyrum S. Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially tuned domain generation and detection. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. 13--21.

Digital Library

[28]

Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the USENIX Security Symposium. 273--290.

Digital Library

[29]

Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, II, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium. 27--27.

Digital Library

[30]

Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the USENIX Security Symposium. 24--24.

Digital Library

[31]

Ionut Arghire. 2016. Sarvdap spambot checks IP blacklists. (Retrieved from http://www.securityweek.com/sarvdap-spambot-checks-ip-blacklists.

[32]

Anirban Banerjee, Md Sazzadur Rahman, and Michalis Faloutsos. 2011. SUT: Quantifying and mitigating URL typosquatting. Comput. Netw. 55, 13 (2011), 3001--3014.

Digital Library

[33]

Steven M. Bellovin. 1995. Using the domain name system for system break-ins. In Proceedings of the Conference on USENIX UNIX Security Symposium. 18--18.

Digital Library

[34]

Andreas Berger and Wilfried N. Gansterer. 2013. Modeling DNS agility with DNSMap. In Proceedings of the IEEE Conference on Computer Communications Workshops. 387--392.

[35]

Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Network and Distributed System Security Symposium.

[36]

Leyla Bilge, Sevil Sen, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2014. Exposure: A passive DNS analysis service to detect and report malicious domains. ACM Trans. Info. Syst. Secur. 16, 4 (apr 2014), 14:1--14:28.

Digital Library

[37]

N. Brownlee, K. C. Claffy, and E. Nemeth. 2001. DNS measurements at a root server. In Proceedings of the Global Telecommunications Conference, Vol. 3. 1672--1676.

[38]

Davide Canali, Marco Cova, Giovanni Vigna, and Christopher Kruegel. 2011. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the International Conference on World Wide Web. 197--206.

Digital Library

[39]

Biz Carson. 2016. This guy bought “Google.com” from Google for one minute. Retrieved from http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9.

[40]

Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. 2008. A day at the root of the internet. SIGCOMM Comput. Commun. Rev. 38, 5 (2008), 41--46.

Digital Library

[41]

Olivier Chapelle, Bernhard Schlkopf, and Alexander Zien. 2010. Semi-Supervised Learning (1st ed.). The MIT Press.

Digital Library

[42]

Nitesh V. Chawla. 2005. Data Mining for Imbalanced Datasets: An Overview. 853--867.

[43]

Pern Hui Chia and Svein Johan Knapskog. 2012. Re-evaluating the wisdom of crowds in assessing web security. In Proceedings of the International Conference on Financial Cryptography and Data Security. 299--314.

Digital Library

[44]

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Takeshi Yada, Tatsuya Mori, and Shigeki Goto. 2016. DomainProfiler: Discovering domain names abused in future. Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 491--502.

[45]

Hyunsang Choi and Heejo Lee. 2012. Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56, 1 (2012), 20--33.

Digital Library

[46]

Hyunsang Choi, Heejo Lee, and Hyogon Kim. 2009. BotGAD: Detecting botnets by capturing group activities in network traffic. In Proceedings of the International ICST Conference on Communication System Software and Middleware. 2:1--2:8.

Digital Library

[47]

Hyunsang Choi, Hanwoo Lee, Heejo Lee, and Hyogon Kim. 2007. Botnet detection by monitoring group activities in DNS traffic. In Proceedings of the IEEE International Conference on Computer and Information Technology. 715--720.

Digital Library

[48]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the International Conference on World Wide Web. 281--290.

Digital Library

[49]

L. Daigle. 2004. WHOIS Protocol Specification. RFC 3912. Internet engineering task force. Retrieved from https://tools.ietf.org/html/rfc3912.

[50]

Ruchi Dhole and Shobha Lolge. 2016. A survey of botnet detection techniques and research challenges. Int. J. Innovat. Res. Comput. Commun. Eng. 4 (2016), 244--249. Issue 1.

[51]

Christian J. Dietrich and Christian Rossow. 2009. Empirical research of IP blacklists. In Proceedings of the Information Security Solutions Europe Conference. 163--171.

[52]

Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, and Norbert Pohlmann. 2011. On botnets that use DNS for command and control. In Proceedings of the European Conference on Computer Network Defense. 9--16.

Digital Library

[53]

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A search engine backed by internet-wide scanning. In Proceedings of the ACM Conference on Computer and Communications Security.

Digital Library

[54]

Birhanu Eshete, Adolfo Villafiorita, and Komminist Weldemariam. 2013. BINSPECT: Holistic analysis and detection of malicious web pages. In Proceedings of the International ICST Conference on Security and Privacy in Communication Networks. 149--166.

[55]

Farsight Security, Inc. DNS Database. Retrieved from https://www.dnsdb.info/.

[56]

Maryam Feily, Alireza Shahrestani, and Sureswaran Ramadass. 2009. A survey of botnet and botnet detection. In Proceedings of the International Conference on Emerging Security Information, Systems and Technologies. 268--273.

Digital Library

[57]

Mark Felegyhazi, Christian Kreibich, and Vern Paxson. 2010. On the potential of proactive domain blacklisting. In Proceedings of the USENIX Conference on Large-scale Exploits and Emergent Threats.

Digital Library

[58]

Paul S. Ferrell. Apt infection discovery using DNS data. Retrieved from http://permalink.lanl.gov/object/view?what&equal;info:lanl-repo/lareport/LA-UR-13-23109.

[59]

Sean Ford, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2009. Wepawet. Retrieved from http://wepawet.iseclab.org/. Service discontinued.

[60]

Y. Fu, L. Yu, O. Hambolu, I. Ozcelik, B. Husain, J. Sun, K. Sapra, D. Du, C. T. Beasley, and R. R. Brooks. 2017. Stealthy domain generation algorithms. IEEE Trans. Info. Forensics Secur. 12, 6 (2017), 1430--1443.

Digital Library

[61]

Kensuke Fukuda and John Heidemann. 2015. Detecting malicious activity with DNS backscatter. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 197--210.

Digital Library

[62]

Hongyu Gao, Vinod Yegneswaran, Yan Chen, Phillip Porras, Shalini Ghosh, Jian Jiang, and Haixin Duan. 2013. An empirical reexamination of global DNS behavior. In ACM SIGCOMM Comput. Commun. Rev. 267--278.

Digital Library

[63]

H. Gao, V. Yegneswaran, J. Jiang, Y. Chen, P. Porras, S. Ghosh, and H. Duan. 2016. Reexamining DNS from a global recursive resolver perspective. IEEE/ACM Trans. Netw. 24, 1 (Feb 2016), 43--57.

Digital Library

[64]

M. Grill, I. Nikolaev, V. Valeros, and M. Rehak. 2015. Detecting DGA malware using netflow. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management. 1304--1309.

[65]

H. Guerid, K. Mittig, and A. Serhrouchni. 2013. Privacy-preserving domain-flux botnet detection in a large scale network. In Proceedings of the International Conference on Communication Systems and Networks. 1--9.

[66]

Fariba Haddadi, H. Gunes Kayacik, A. Nur Zincir-Heywood, and Malcolm I. Heywood. 2013. Malicious automatically generated domain name detection using stateful-SBB. In Proceedings of the European Conference Applications of Evolutionary Computation. 529--539.

Digital Library

[67]

F. Haddadi and A. N. Zincir-Heywood. 2013. Analyzing string format-based classifiers for botnet detection: GP and SVM. In Proceedings of the IEEE Congress on Evolutionary Computation. 2626--2633.

[68]

Shuang Hao, Nick Feamster, and Ramakant Pandrangi. 2011. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 269--278.

Digital Library

[69]

Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1568--1579.

Digital Library

[70]

Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, and Scott Hollenbeck. 2013. Understanding the domain registration behavior of spammers. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC’13). 63--76.

Digital Library

[71]

Dominik Herrmann, Christian Banse, and Hannes Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, Part A (2013), 17--33.

Digital Library

[72]

Hoglund, Greg and McGraw, Gary. 2004. Exploiting Software: How to Break Code. Pearson Higher Education.

Digital Library

[73]

Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix C. Freiling. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Network and Distributed System Security Symposium.

[74]

Ching-Hsiang Hsu, Chun-Ying Huang, and Kuan-Ta Chen. 2010. Fast-flux bot detection in real time. In Proceedings of the International Conference on Recent Advances in Intrusion Detection. 464--483.

Digital Library

[75]

Xin Hu, M. Knysz, and K. G. Shin. 2011. Measurement and analysis of global IP-usage patterns of fast-flux botnets. In Proceedings of the IEEE INFOCOM. 2633--2641.

[76]

Xin Hu, Matthew Knysz, and Kang G. Shin. 2009. RB-seeker: Auto-detection of redirection botnets. In Proceedings of the Network and Distributed System Security Symposium.

[77]

Yonghong Huang and P. Greve. 2015. Large scale graph mining for web reputation inference. In Proceedings of the IEEE International Workshop on Machine Learning for Signal Processing. 1--6.

[78]

A. K. Jain, M. N. Murty, and P. J. Flynn. 1999. Data clustering: A review. Comput. Surveys 31, 3 (Sept. 1999), 264--323.

Digital Library

[79]

Nan Jiang, Jin Cao, Yu Jin, Li Li, and Zhi-Li Zhang. 2010. Identifying suspicious activities through DNS failure graph analysis. In Proceedings of the IEEE International Conference on Network Protocols. 144--153.

Digital Library

[80]

Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2011. Escape from monkey island: Evading high-interaction honeyclients. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 124--143.

Digital Library

[81]

A. M. Kara, H. Binsalleeh, M. Mannan, A. Youssef, and M. Debbabi. 2014. Detection of malicious payload distribution channels in DNS. In Proceedings of the IEEE International Conference on Communications. 853--858.

[82]

Issa M. Khalil, Ting Yu, and Bei Guan. 2016. Discovering malicious domains through passive DNS data graph analysis. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. 663--674.

Digital Library

[83]

M. T. Khan, X. Huo, Z. Li, and C. Kanich. 2015. Every second counts: Quantifying the negative externalities of cybercrime via typosquatting. In Proceedings of the IEEE Symposium on Security and Privacy. 135--150.

Digital Library

[84]

S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam. 2014. A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surveys Tutor. 16, 2 (2014), 898--924.

[85]

Nizar Kheir, Frédéric Tran, Pierre Caron, and Nicolas Deschamps. 2014. Mentor: Positive DNS reputation to skim-off benign domains in botnet C8C blacklists. In Proceedings of the IFIP TC International Conference on ICT Systems Security and Privacy Protection. 1--14.

[86]

M. Khonji, Y. Iraqi, and A. Jones. 2013. Phishing detection: A literature survey. IEEE Commun. Surveys Tutor. 15, 4 (2013), 2091--2121.

[87]

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 569--586.

Digital Library

[88]

Matthias Kirchler, Dominik Herrmann, Jens Lindemann, and Marius Kloft. 2016. Tracked without a trace: Linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. 23--34.

Digital Library

[89]

Maria Konte, Nick Feamster, and Jaeyeon Jung. 2009. Dynamics of online scam hosting infrastructure. In Proceedings of the International Conference on Passive and Active Network Measurement. 219--228.

Digital Library

[90]

S. B. Kotsiantis. 2007. Supervised machine learning: A review of classification techniques. In Proceedings of the Conference on Emerging Artificial Intelligence Applications in Computer Engineering. 3--24.

Digital Library

[91]

Athanasios Kountouras, Panagiotis Kintis, Charles Lever, Yizheng Chen, Yacin Nadji, David Dagon, and Manos Antonakakis. 2016. Enabling network security through active DNS datasets. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 188--208.

[92]

David Kravets. 2008. ICANN and IANA sites hacked, redirected. Retrieved from https://www.wired.com/2008/06/icann-and-iana/.

[93]

Srinivas Krishnan, Teryl Taylor, Fabian Monrose, and John McHugh. 2013. Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 1--12.

Digital Library

[94]

Marc Kührer and Thorsten Holz. 2012. An empirical analysis of malware blacklists. Praxis der Informationsverarbeitung und Kommunikation 35, 1 (2012), 11--16.

[95]

Marc Kührer, Christian Rossow, and Thorsten Holz. 2014. Paint it black: Evaluating the effectiveness of malware blacklists. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses.

[96]

Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, and Adrian Perrig. 2014. PsyBoG: Power spectral density analysis for detecting botnet groups. In Proceedings of the International Conference on Malicious and Unwanted Software. 85--92.

[97]

Kyle York. 2016. Dyn statement on 10/21/2016 DDoS attack. Retrieved from http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.

[98]

Tobias Lauinger, Kaan Onarlioglu, Abdelberi Chaabane, William Robertson, and Engin Kirda. 2016. WHOIS lost in translation: (Mis)understanding domain name expiration and re-registration. In Proceedings of the ACM SIGCOMM Internet Measurement Conference. 247--253.

Digital Library

[99]

Felix Leder and Tillmann Werner. 2009. Know your enemy: Containing conficker. Retrieved from https://www.honeynet.org/files/KYE-Conficker.pdf.

[100]

J. Lee, J. Kwon, H. J. Shin, and H. Lee. 2010. Tracking multiple C8C botnets by analyzing DNS traffic. In Proceedings of the IEEE Workshop on Secure Network Protocols. 67--72.

[101]

J. Lee and H. Lee. 2014. GMAD: Graph-based malware activity detection by DNS traffic analysis. Comput. Commun. 49 (2014), 33--47.

Digital Library

[102]

C. Lever, R. Walls, Y. Nadji, D. Dagon, P. McDaniel, and M. Antonakakis. 2016. Domain-Z: 28 Registrations later measuring the exploitation of residual trust in domains. In Proceedings of the IEEE Symposium on Security and Privacy. 691--706.

[103]

Z. Li, S. Alrwais, X. Wang, and E. Alowaisheq. 2014. Hunting the red fox online: Understanding and detection of mass redirect-script injections. In Proceedings of the IEEE Symposium on Security and Privacy. 3--18.

Digital Library

[104]

Daiping Liu, Shuai Hao, and Haining Wang. 2016. All your DNS records point to us: Understanding the security threats of dangling DNS records. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1414--1425.

Digital Library

[105]

Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1245--1254.

Digital Library

[106]

Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2011. Learning to detect malicious URLs. ACM Trans. Intell. Syst. Technol. 2, 3 (2011), 30:1--30:24.

Digital Library

[107]

X. Ma, J. Zhang, J. Tao, J. Li, J. Tian, and X. Guan. 2014. DNSRadar: Outsourcing malicious domain detection based on distributed cache-footprints. IEEE Trans. Info. Forensics Secur. 9, 11 (Nov 2014), 1906--1921.

Digital Library

[108]

D. Mahjoub. 2013. Monitoring a fast flux botnet using recursive and passive DNS: A case study. In Proceedings of the eCrime Researchers Summit. 1--9.

[109]

Pratyusa Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In Proceedings of the European Symposium on Research in Computer Security. 1--18.

Digital Library

[110]

Samuel Marchal, Jérôme François, Radu State, and Thomas Engel. 2012. Proactive discovery of phishing related domain names. In Proceedings of the International Symposium Research in Attacks, Intrusions, and Defenses. 190--209.

Digital Library

[111]

MaxMind. GeoLite2 Databases. Retrieved from http://www.maxmind.com.

[112]

Igor Mishsky, Nurit Gal-Oz, and Ehud Gudes. 2015. A topology based flow model for computing domain reputation. In Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, 277--292.

[113]

Thomas M. Mitchell. 1997. Machine Learning (1st ed.). McGraw-Hill, Inc.

Digital Library

[114]

P. Mockapetris. 1983. Domain Names: Concepts and Facilities. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc882.

[115]

P. V. Mockapetris. 1983. Domain Names: Implementation and Specification. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc883.

Digital Library

[116]

P. Mockapetris. 1987. Domain Names: Concepts and Facilities. Technical Report. Internet Engineering Task Force. Retrieved from https://tools.ietf.org/html/rfc1034.

Digital Library

[117]

P. Mockapetris. 1987. Domain Names: Implementation and Specification. Technical Report. Internet Engineering Task Force. https://tools.ietf.org/html/rfc1035.

Digital Library

[118]

J. A. Morales, A. Al-Bataineh, Shouhuai Xu, and R. Sandhu. 2009. Analyzing DNS activities of bot processes. In Proceedings of the International Conference on Malicious and Unwanted Software. 98--103.

[119]

Jason Murdock. 2016. Linux Mint Hack: 71,000 User accounts stolen and malware planted using Tsunami backdoor. http://goo.gl/CNY4gB.

[120]

Yacin Nadji, Manos Antonakakis, Roberto Perdisci, and Wenke Lee. 2013. Connected colors: Unveiling the structure of criminal networks. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 390--410.

Digital Library

[121]

Jose Nazario and Thorsten Holz. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the International Conference on Malicious and Unwanted Software. 24--31.

[122]

Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for new C8C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium. 589--604.

Digital Library

[123]

Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2014. Soundsquatting: Uncovering the use of homophones in domain squatting. In Proceedings of the International Conference on Information Security. 291--308.

[124]

Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2013. Bitsquatting: Exploiting bit-flips for fun, or profit? In Proceedings of the International Conference on World Wide Web. 989--998.

Digital Library

[125]

OpenDNS. PhishTank. Retrieved from https://www.phishtank.com/.

[126]

A. Oprea, Z. Li, T. F. Yen, S. H. Chin, and S. Alrwais. 2015. Detection of early-stage enterprise infection by mining large-scale log data. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 45--56.

Digital Library

[127]

Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi. 2008. FluXOR: Detecting and monitoring fast-flux service networks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 186--206.

Digital Library

[128]

R. Perdisci, I. Corona, D. Dagon, and Wenke Lee. 2009. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference. 311--320.

Digital Library

[129]

R. Perdisci, I. Corona, and G. Giacinto. 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Depend. Secure Comput. 9, 5 (2012), 714--726.

Digital Library

[130]

Iria Prieto, Eduardo Magaña, Daniel Morató, and Mikel Izal. 2011. Botnet detection based on DNS records and active probing. In Proceedings of the International Conference on Security and Cryptography. 307--316.

[131]

Niels Provos, Panayiotis Mavrommatis, Moheeb Abu Rajab, and Fabian Monrose. 2008. All your iFRAMEs point to us. In Proceedings of the USENIX Security Symposium. 1--15.

Digital Library

[132]

Zhiyun Qian, Zhuoqing Morley Mao, Yinglian Xie, and Fang Yu. 2010. On network-level clusters for spam detection. In Proceedings of the Network and Distributed System Security Symposium.

[133]

B. Rahbarinia, R. Perdisci, and M. Antonakakis. 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks. In Proceedings of the Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 403--414.

Digital Library

[134]

Babak Rahbarinia, Roberto Perdisci, and Manos Antonakakis. 2016. Efficient and accurate behavior-based tracking of malware-control domains in large ISP networks. ACM Trans. Privacy Secur. 19, 2 (Aug. 2016), 4:1--4:31.

Digital Library

[135]

A. Ramachandran, D. Dagon, and Nick Feamster. 2006. Can DNS-based blacklists keep up with bots. In Proceedings of the Conference on Email and Anti-Spam.

[136]

Christian Rossow. 2014. Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium.

[137]

Doyen Sahoo, Chenghao Liu, and Steven C. H. Hoi. 2017. Malicious URL detection using machine learning: A survey. CoRR abs/1701.07179. Retrieved from http://arxiv.org/abs/1701.07179.

[138]

Arthur L. Samuel. 1959. Some studies in machine learning using the game of checkers. IBM J. Res. Dev. 3, 3 (1959), 210--229.

Digital Library

[139]

Kazumichi Sato, Keisuke Ishibashi, Tsuyoshi Toyono, and Nobuhisa Miyake. 2010. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. 8--8.

Digital Library

[140]

Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based botnet tracking and intelligence. In Proceedings of the International Conference Detection of Intrusions and Malware, and Vulnerability Assessment. 192--211.

[141]

Security and Stability Advisory Committee. 2009. SAC 40: Measures to Protect Domain Registration Services Against Exploitation or Misuse. (August 2009). Retrieved from https://www.icann.org/en/system/files/files/sac-040-en.pdf.

[142]

C. Seifert, I. Welch, P. Komisarczuk, C. U. Aval, and B. Endicott-Popovsky. 2008. Identification of malicious web pages through analysis of underlying DNS and web server relationships. In Proceedings of the IEEE Conference on Local Computer Networks. 935--941.

[143]

Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. In Proceedings of the Conference on Email and Anti-Spam.

[144]

Seungwon Shin, Zhaoyan Xu, and Guofei Gu. 2012. EFFORT: Efficient and effective bot malware detection. In Proceedings of the IEEE INFOCOM. 2846--2850.

[145]

S. Sinha, M. Bailey, and F. Jahanian. 2008. Shades of grey: On the effectiveness of reputation-based “blacklists.” In Proceedings of the International Conference on Malicious and Unwanted Software. 57--64.

[146]

A. K. Sood and S. Zeadally. 2016. A taxonomy of domain-generation algorithms. IEEE Secur. Priv. 14, 4 (2016), 46--53.

Digital Library

[147]

Nikita Spirin and Jiawei Han. 2012. Survey on web spam detection: Principles and algorithms. ACM SIGKDD Explor. Newslett. 13, 2 (2012), 50--64.

Digital Library

[148]

Etienne Stalmans. 2011. A framework for DNS based detection and mitigation of malware infections on a network. In Proceedings of the Information Security South Africa Conference.

[149]

Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, and Stefan Ruehrup. 2017. A method for identifying compromised clients based on DNS traffic analysis. Int. J. Info. Secur. 16, 2 (2017), 115--132.

Digital Library

[150]

Matija Stevanovic, Jens Myrup Pedersen, Alessandro D’Alconzo, Stefan Ruehrup, and Andreas Berger. 2015. On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55 (Nov. 2015), 142--158.

Digital Library

[151]

Elizabeth Stinson and John C. Mitchell. 2008. Towards systematic evaluation of the evadability of bot/botnet detection methods. In Proceedings of the USENIX Workshop on Offensive Technologies. 5:1--5:9.

Digital Library

[152]

Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. 2014. The long “taile” of typosquatting domain names. In Proceedings of the USENIX Security Symposium. 191--206.

Digital Library

[153]

The DNS-BH project. DNS-BH—Malware domain blocklist. Retrieved from http://www.malwaredomains.com/.

[154]

Matthew Thomas and Aziz Mohaisen. 2014. Kindred domains: Detecting and clustering botnet domains using DNS traffic. In Proceedings of the International Conference on World Wide Web. 707--712.

Digital Library

[155]

Van Tong and Giang Nguyen. 2016. A method for detecting DGA botnet based on semantic and cluster analysis. In Proceedings of the Symposium on Information and Communication Technology. 272--277.

Digital Library

[156]

Verisign, Inc.2016. Internet Grows to 314 Million Domain Names in the Fourth Quarter of 2015. (April 2016). Retrieved from https://www.verisign.com/assets/press-release-DNIB-april2016.pdf.

[157]

R. Villamarin-Salomon and J. C. Brustoloni. 2008. Identifying botnets using anomaly detection techniques applied to DNS traffic. In Proceedings of the IEEE Consumer Communications and Networking Conference. 476--481.

[158]

Ricardo Villamarín-Salomón and José Carlos Brustoloni. 2009. Bayesian bot detection based on DNS traffic similarity. In Proceedings of the ACM Symposium on Applied Computing. 2035--2041.

Digital Library

[159]

VirusTotal, Subsidiary of Google. VirusTotal—Free online virus, malware, and URL scanner. Retrieved from https://www.virustotal.com/.

[160]

Qiong Wei and Roland L. Dunbrack, Jr. 2013. The role of balanced training and testing data sets for binary classifiers in bioinformatics. PLOS ONE 8 (07 2013), 1--12.

[161]

Florian Weimer. 2005. Passive DNS replication. In Proceedings of the Conference on Computer Security Incident. 98.

[162]

Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel. 2010. Is the internet for porn? An insight into the online adult industry. In Proceedings of the Annual Workshop on the Economics of Information Security.

[163]

Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant. 2016. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. arXiv:arXiv:1611.00791.

[164]

Steven Wright. 2012. Cybersquatting at the intersection of internet domain names and trademark law. IEEE Commun. Surveys Tutor. 14, 1 (2012), 193--205.

[165]

Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2010. Detecting algorithmically generated malicious domain names. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement. 48--61.

Digital Library

[166]

Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2012. Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20, 5 (2012), 1663--1677.

Digital Library

[167]

Sandeep Yadav and A. L. Narasimha Reddy. 2011. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of the International ICST Conference Security and Privacy in Communication Networks. 446--459.

[168]

Ting-Fang Yen and Michael K. Reiter. 2008. Traffic aggregation for malware detection. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 207--227.

Digital Library

[169]

Bin Yu, Les Smith, and Mark Threefoot. 2014. Semi-supervised time series modeling for real-time flux domain detection on passive DNS traffic. In Proceedings of the International Conference Machine Learning and Data Mining in Pattern Recognition. 258--271.

[170]

Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. 2007. Passive monitoring of DNS anomalies. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 129--139.

Digital Library

[171]

Jialong Zhang, Sabyasachi Saha, Guofei Gu, Sung-Ju Lee, and Marco Mellia. 2015. Systematic mining of associated server herds for malware campaign discovery. In Proceedings of the IEEE International Conference on Distributed Computing Systems. 630--641.

[172]

F. Zhao, Y. Hori, and K. Sakurai. 2007. Analysis of privacy disclosure in DNS query. In Proceedings of the International Conference on Multimedia and Ubiquitous Engineering. 952--957.

Digital Library

[173]

Xiaojin Zhu. 2005. Semi-Supervised Learning Literature Survey. Technical Report 1530. Computer Science, University of Wisconsin-Madison.

[174]

Futai Zou, Siyu Zhang, Weixiong Rao, and Ping Yi. 2015. Detecting malware based on DNS graph mining. Int. J. Distrib. Sensor Netw. 2015 (2015).

Digital Library

[175]

Hiba Zuhair, Ali Selamat, and Mazleena Salleh. 2016. Feature selection for phishing detection: A review of research. Int. J. Intell. Syst. Technol. Appl. 15, 2 (May 2016), 147--162.

Digital Library

Cited By

Komiya CYanai NYamashita KOkamura S(2024)JABBERWOCK: A Tool for WebAssembly Dataset Generation and Its Application to Malicious Website DetectionJournal of Information Processing10.2197/ipsjjip.32.29832(298-307)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.298
Kumarasinghe UNabeel MElvitigala C(2024)Blocklist-Forecast: Proactive Domain Blocklisting by Identifying Malicious Hosting InfrastructureProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678925(35-48)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678925
Leite CDen Hartog Jdos Santos D(2024)Using DNS Patterns for Automated Cyber Threat AttributionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670870(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670870
Show More Cited By

Index Terms

A Survey on Malicious Domains Detection through DNS Data Analysis

Recommendations

Discovering Malicious Domains through Passive DNS Data Graph Analysis
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Malicious domains are key components to a variety of cyber attacks. Several recent techniques are proposed to identify malicious domains through analysis of DNS data. The general approach is to build classifiers based on DNS-related local domain ...
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent Systems

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and Programming

Bonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 51, Issue 4

July 2019

765 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3236632

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 July 2018

Accepted: 01 February 2018

Revised: 01 February 2018

Received: 01 August 2017

Published in CSUR Volume 51, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

115
Total Citations
View Citations
2,173
Total Downloads

Downloads (Last 12 months)282
Downloads (Last 6 weeks)37

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Komiya CYanai NYamashita KOkamura S(2024)JABBERWOCK: A Tool for WebAssembly Dataset Generation and Its Application to Malicious Website DetectionJournal of Information Processing10.2197/ipsjjip.32.29832(298-307)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.298
Kumarasinghe UNabeel MElvitigala C(2024)Blocklist-Forecast: Proactive Domain Blocklisting by Identifying Malicious Hosting InfrastructureProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678925(35-48)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678925
Leite CDen Hartog Jdos Santos D(2024)Using DNS Patterns for Automated Cyber Threat AttributionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670870(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670870
Khaoula RImane MMohamed M(2024)Improving Cyber Defense with DNS Query Clustering Analysis2024 11th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM62286.2024.10656538(1-6)Online publication date: 23-Jul-2024
https://doi.org/10.1109/WINCOM62286.2024.10656538
Chiang PTsai S(2024)Detection of Malicious Domains With Concept Drift Using Ensemble LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2024.343551621:6(6796-6809)Online publication date: Dec-2024
https://doi.org/10.1109/TNSM.2024.3435516
Galloway TKarakolios KMa ZPerdisci RKeromytis AAntonakakis M(2024)Practical Attacks Against DNS Reputation Systems2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00266(4516-4534)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00266
Nazzal MKhalil IKhreishah APhan NMa Y(2024)Multi-Instance Adversarial Attack on GNN-Based Malicious Domain Detection2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00006(1236-1254)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00006
Takao KHiraishi CTanabe RTakada KFujita AInoue DGañán Cvan Eeten MYoshioka KMatsumoto T(2024)VT-SOS: A Cost-effective URL Warning utilizing VirusTotal as a Second Opinion ServiceNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575506(1-5)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575506
Anderson AMondal ABarford PCrovella MSommers J(2024)An Elemental Decomposition of DNS Name-to-IP GraphsIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621147(1661-1670)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621147
Tharayil KKintis PKeromytis A(2024)Augmenting DNS-Based Security with NetFlow2024 4th International Conference on Electrical, Computer, Communications and Mechatronics Engineering (ICECCME)10.1109/ICECCME62383.2024.10797094(01-06)Online publication date: 4-Nov-2024
https://doi.org/10.1109/ICECCME62383.2024.10797094
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents