Malicious Domain Detection Method Based on Multivariate Time-Series Features

doi:10.3969/j.issn.1671-1122.2023.11.001

Abstract

Abstract:

At present, malicious domains as the main attack vector are widely abused in a variety of network attack activities. To address the problems of complex design of detection features in malicious domain detection, the need for empirical knowledge assistance and the ease of targeted bypassing by attackers, the paper proposed a malicious domain detection method based on multivariate temporal features. The method uses a deep learning model based on fused long and short-term memory networks and full convolutional neural networks to automatically extract multivariate temporal embedding features from client requests and domain resolution traffic, respectively, and learn low-dimensional temporal representations of malicious domain behaviors. Compared with traditional time-statistical feature schemes or time-series local pattern discrimination schemes, this method can establish long-term domain activity patterns and distinguish the behavior sequences of malicious domains from normal domains, which has more powerful malicious domain detection capability. Meanwhile, the method supports the fusion of multivariate time-series embedding features and generic malicious domain detection features to characterize malicious behavior information in multiple dimensions, improving detection performance as well as model robustness and scalability.

Key words: malicious domain, long short-term memory, fully convolutional network, multivariate time-series feature, feature fusion

CLC Number:

TP309

YAO Yuan, FAN Zhaoshan, WANG Qing, TAO Yuan. Malicious Domain Detection Method Based on Multivariate Time-Series Features[J]. Netinfo Security, 2023, 23(11): 1-8.

Figures/Tables 11

References 17

[1]	STEVANOVIC M, PEDERSEN J M, D'ALCONZO A, et al. On the Ground Truth Problem of Malicious DNS Traffic Analysis[J]. Computers & Security, 2015, 55: 142-158. doi: 10.1016/j.cose.2015.09.004 URL
[2]	XU Guotian, SHENG Zhenwei. DGA Malicious Domain Name Detection Method Based on Fusion of CNN and LSTM[J]. Netinfo Security, 2021, 21(10): 41-47.
	徐国天, 盛振威. 基于融合CNN与LSTM的DGA恶意域名检测方法[J]. 信息网络安全, 2021, 21(10): 41-47.
[3]	SCHUPPEN S, TEUBERT D, HERRMANN P, et al. FANCI: Feature-Based Automated NXDomain Classification and Intelligence[C]// ACM. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC'18). Berkeley: USENIX Association, 2018: 1165-1181.
[4]	ZHOU Changling, CHEN Kai, GONG Xuxiao, et al. Detection of Fast-Flux Domains Based on Passive DNS Analysis[J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2016, 52(3): 396-402.
	周昌令, 陈恺, 公绪晓, 等. 基于Passive DNS的速变域名检测[J]. 北京大学学报:自然科学版, 2016, 52(3): 396-402.
[5]	HAN Chunyu, ZHANG Yongzheng, ZHANG Yu. Fast-Flucos: Malicious Domain Name Detection Method for Fast-Flux Based on DNS Traffic[J]. Journal on Communications, 2020, 41(5): 37-47. doi: 10.11959/j.issn.1000-436x.2020094
	韩春雨, 张永铮, 张玉. Fast-Flucos:基于DNS流量的fast-flux恶意域名检测方法[J]. 通信学报, 2020, 41(5): 37-47. doi: 10.11959/j.issn.1000-436x.2020094
[6]	TRUONG D T, CHENG Guang. Detecting Domain-Flux Botnet Based on DNS Traffic Features in Managed Network[J]. Security and Communication Networks, 2016, 9(14): 2338-2347. doi: 10.1002/sec.v9.14 URL
[7]	CHO D X, NAM H H. A Method of Monitoring and Detecting APT Attacks Based on Unknown Domains[J]. Procedia Computer Science, 2019, 150: 316-323. doi: 10.1016/j.procs.2019.02.058 URL
[8]	RAHBARINIA B, PERDISCI R, ANTONAKAKIS M. Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks[C]// IEEE. 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. New York: IEEE, 2015: 403-414.
[9]	MA Zhen, LI Qiang, MENG Xiangyu. Discovering Suspicious APT Families through a Large-Scale Domain Graph in Information-Centric IoT[J]. IEEE Access, 2019, 7: 13917-13926. doi: 10.1109/ACCESS.2019.2894509
[10]	WANG Xiaoqi, LI Qiang, YAN Guanghua, et al. Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats[J]. Journal of Computer Research and Development, 2017, 54(10): 2334-2343.
	王晓琪, 李强, 闫广华, 等. 高级持续性威胁中隐蔽可疑DNS行为的检测[J]. 计算机研究与发展, 2017, 54(10): 2334-2343.
[11]	ZHAO Guodong, XU Ke, XU Lei, et al. Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis[J]. IEEE Access, 2015, 3: 1132-1142. doi: 10.1109/ACCESS.2015.2458581 URL
[12]	BILGE L, KIRDA E, KRUEGEL C, et al. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis[EB/OL]. [2023-04-12]. https://xueshu.baidu.com/usercenter/paper/show?paperid=bd8bbc9b0308c49ed70c2b50ecc94c49.
[13]	TAN Guolin, ZHANG Peng, LIU Qingyun, et al. Domainobserver: A lightweight Solution for Detecting Malicious Domains Based on Dynamic Time Warping[C]// Springer. International Conference on Computational Science. Berlin:Springer, 2018: 208-220.
[14]	KDOSHA O E, ROSENTHAL G, COHEN K, et al. REMaDD: Resource-Efficient Malicious Domains Detector in Large-Scale Networks[J]. IEEE Access, 2020, 8: 66327-66337. doi: 10.1109/Access.6287639 URL
[15]	TAN Guolin, ZHANG Peng, ZHANG Lei, et al. Learning from Time Series with Outlier Correction for Malicious Domain Identification[C]// IEEE. 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). New York: IEEE, 2019: 42-46.
[16]	LONG J, SHELHAMER E, DARRELL T. Fully Convolutional Networks for Semantic Segmentation[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2015: 3431-3440.
[17]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276

良性域名/个	恶意域名/个	解析次数/次	资源记录/个
19560	952	1987609	66048
客户端主机/个	请求次数/次	IPv4/个	IPv6/个
370101	4163432	419155	11975

定义	客户端请求时序数据	定义	域名解析时序数据
S1	客户端发起请求包总数	S10	8~11时段总请求数
S2	发起请求的客户端个数	S11	12~15时段总请求数
S3	域名被请求的小时个数	S12	16~19时段总请求数
S4	最活跃小时的请求总数	S13	20~23时段总请求数
S5	各小时请求总数的极差	S14	DNS发出的域名解析包总数
S6	各小时请求总数的唯一值个数	S15	域名解析的唯一IP个数
S7	最活跃小时占比全天请求总数	S16	域名解析的资源记录类型个数
S8	0~3时段总请求数	S17	各解析记录响应总数的极差
S9	4~7时段总请求数	S18	各解析记录响应总数的唯一值个数

特征类型	维度	具体特征
字符特征	4	域名长度（F1）、子域个数（F2）、特殊字符个数（F3）、数字字符个数（F4）
流量特征	6	IP数量（F5）、解析记录数量（F6）、请求客户端数量（F7）、解析请求次数（F8）、代理IP池托管域名的数量（F9）、客户端池请求的域名数量（F10）
whois特征	3	域名注册有效期（F11）、缺失任一日期记录（F12）、NS服务器相似性分数（F13）

模型	Precision	Recall	F1	Accuracy
SVM	68.3140%	94.7581%	79.3919%	98.7821%
LR	55.8473%	94.3548%	70.1649%	98.0134%
Xgboost	72.4138%	93.1452%	81.4815%	98.9518%
RF	65.4391%	93.1452%	76.8719%	98.6124%

特征方案	Precision	Recall	F1	Accuracy
多元时序嵌入特征	72.4138%	93.1452%	81.4815%	98.9518%
时序统计特征	43.9623%	93.9516%	59.8972%	96.8853%
常规统计特征	48.6258%	92.7419%	63.8003%	97.3944%
通用域名检测特征	61.4583%	95.1613%	74.6835%	98.4027%
全量特征	75.4839%	94.3548%	83.8710%	99.1015%