Method for Detecting a Malicious Domain by Using WHOIS and DNS Features
Proceeding: The Third International Conference on Digital Security and Forensics (DigitalSec2016)Publication Date: 2016-09-06
Authors : Masahiro Kuyama; Yoshio Kakizaki; Ryoichi Sasaki;
Page : 74-80
Keywords : Malware; C&C Server; Neural Network; SVM;
Abstract
Damages caused by targeted attacks are a serious problem. It is not enough to prevent only the initial infections, because techniques for targeted attacks have become more sophisticated every year, especially those seeking to illegally acquire confidential information. In a targeted attack, various communications are performed between the command and control server (C&C server) and the local area network (LAN), including the terminal infected with malware. Therefore, it is possible to find the infected terminal in the LAN by monitoring the communications with the C&C server. In this study, we propose a method for identifying the C&C server by using supervised machine learning and the feature points obtained from WHOIS and the DNS of domains of C&C servers and normal domains. Moreover, we conduct an experiment that applies real data, and we verify the usefulness of our method by a cross-validation method. As a result of the experiment, we could obtain a high detection rate of about 98%.
Other Latest Articles
- Fingerprinting Violating Machines with TCP Timestamps
- Countermeasure against Drive by Download Attack by Analyzing Domain Information
- Proposal of Unified Data Management and Recovery Tool Using Shadow Copy
- Proposal of an Improved Event Tree and Defense Tree Combined Method for Risk Evaluation with Common Events
- Development and Evaluation of a Dynamic Security Evaluation System for the Cloud System Operation
Last modified: 2016-09-11 23:54:01