About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
6th International ICST Conference on Collaborative Computing: Networking, Applications, Worksharing

Research Article

Mining DNS for malicious domain registrations

Download1210 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.4108/icst.collaboratecom.2010.5,
        author={Yuanchen He and Zhenyu Zhong and Sven Krasser and Yuchun Tang},
        title={Mining DNS for malicious domain registrations},
        proceedings={6th International ICST Conference on Collaborative Computing: Networking, Applications, Worksharing},
        publisher={IEEE},
        proceedings_a={COLLABORATECOM},
        year={2011},
        month={5},
        keywords={Decision trees Helium Machine learning Manuals Markov processes Vegetation},
        doi={10.4108/icst.collaboratecom.2010.5}
    }
    
  • Yuanchen He
    Zhenyu Zhong
    Sven Krasser
    Yuchun Tang
    Year: 2011
    Mining DNS for malicious domain registrations
    COLLABORATECOM
    ICST
    DOI: 10.4108/icst.collaboratecom.2010.5
Yuanchen He1,*, Zhenyu Zhong1,*, Sven Krasser1,*, Yuchun Tang1,*
  • 1: McAfee, Inc., 4501 North Point Parkway, Suite 300, Alpharetta, GA 30022, USA
*Contact email: yhe@McAfee.com, ezhong@McAfee.com, skrasser@McAfee.com, ytang@McAfee.com

Abstract

Millions of new domains are registered every day and the many of them are malicious. It is challenging to keep track of malicious domains by only Web content analysis due to the large number of domains. One interesting pattern in legitimate domain names is that many of them consist of English words or look like meaningful English while many malicious domain names are randomly generated and do not include meaningful words. We show that it is possible to transform this intuitive observation into statistically informative features using second order Markov models. Four transition matrices are built from known legitimate domain names, known malicious domain names, English words in a dictionary, and based on a uniform distribution. The probabilities from these Markov models, as well as other features extracted from DNS data, are used to build a Random Forest classifier. The experimental results demonstrate that our system can quickly catch malicious domains with a low false positive rate.

Keywords
Decision trees Helium Machine learning Manuals Markov processes Vegetation
Published
2011-05-12
Publisher
IEEE
http://dx.doi.org/10.4108/icst.collaboratecom.2010.5
Copyright © 2010–2025 ICST
EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL