Method for Detecting a Malicious Domain by Using WHOIS and DNS Features

Damages caused by targeted attacks are a serious problem. It is not enough to prevent only the initial infections, because techniques for targeted attacks have become more sophisticated every year, especially those seeking to illegally acquire confidential information. In a targeted attack, various communications are performed between the command and control server (C&C server) and the local area network (LAN), including the terminal infected with malware. Therefore, it is possible to find the infected terminal in the LAN by monitoring the communications with the C&C server. In this study, we propose a method for identifying the C&C server by using supervised machine learning and the feature points obtained from WHOIS and the DNS of domains of C&C servers and normal domains. Moreover, we conduct an experiment that applies real data, and we verify the usefulness of our method by a cross-validation method. As a result of the experiment, we could obtain a high detection rate of about 98%.