Malicious domains, including phishing websites, spam servers, and command and control servers, are the reason for many of the cyber attacks nowadays. Thus, detecting them in a timely manner is important to not only identify cyber attacks but also take preventive measures. There has been a plethora of techniques proposed to detect malicious domains by analyzing Domain Name System (DNS) traffic data. Traditionally, DNS acts as an Internet miscreant’s best friend, but we observe that the subtle traces in DNS logs left by such miscreants can be used against them to detect malicious domains. Our approach is to build a set of domain graphs by connecting “related” domains together and injecting known malicious and benign domains into these graphs so that we can make inferences about the other domains in the domain graphs. A key challenge in building these graphs is how to accurately identify related domains so that incorrect associations are minimized and the number of domains connected from the dataset is maximized. Based on our observations, we first train two classifiers and then devise a set of association rules that assist in linking domains together. We perform an in-depth empirical analysis of the graphs built using these association rules on passive DNS data and show that our techniques can detect many more malicious domains than the state-of-the-art.

中文翻译：

---

跟踪被动 DNS 跟踪以通过图推理检测隐匿恶意域

包括网络钓鱼网站、垃圾邮件服务器以及命令和控制服务器在内的恶意域是当今许多网络攻击的原因。因此，及时检测它们对于识别网络攻击和采取预防措施都很重要。已经提出了大量的技术来通过分析域名系统 (DNS) 流量数据来检测恶意域。传统上，DNS 充当互联网不法分子最好的朋友，但我们观察到，此类不法分子在 DNS 日志中留下的细微痕迹可用于检测恶意域。我们的方法是通过将“相关”域连接在一起并将已知的恶意和良性域注入这些图中来构建一组域图，以便我们可以推断域图中的其他域。构建这些图的一个关键挑战是如何准确识别相关域，以便最大限度地减少不正确的关联，并最大限度地增加从数据集中连接的域数量。根据我们的观察，我们首先训练两个分类器，然后设计一组关联规则来帮助将域链接在一起。我们对使用这些关联规则对被动 DNS 数据构建的图表进行了深入的实证分析，并表明我们的技术可以检测到比最先进技术更多的恶意域。