ResearchBib Share Your Research, Maximize Your Social Impacts
Sign for Notice Everyday Sign up >> Login

Method for Detecting a Malicious Domain by Using WHOIS and DNS Features

Proceeding: The Third International Conference on Digital Security and Forensics (DigitalSec2016)

Publication Date:

Authors : ; ; ;

Page : 74-80

Keywords : Malware; C&C Server; Neural Network; SVM;

Source : Downloadexternal Find it from : Google Scholarexternal


Damages caused by targeted attacks are a serious problem. It is not enough to prevent only the initial infections, because techniques for targeted attacks have become more sophisticated every year, especially those seeking to illegally acquire confidential information. In a targeted attack, various communications are performed between the command and control server (C&C server) and the local area network (LAN), including the terminal infected with malware. Therefore, it is possible to find the infected terminal in the LAN by monitoring the communications with the C&C server. In this study, we propose a method for identifying the C&C server by using supervised machine learning and the feature points obtained from WHOIS and the DNS of domains of C&C servers and normal domains. Moreover, we conduct an experiment that applies real data, and we verify the usefulness of our method by a cross-validation method. As a result of the experiment, we could obtain a high detection rate of about 98%.

Last modified: 2016-09-11 23:54:01