Advanced Flow Models for Computing the Reputation of Internet Domains
The Domain Name System (DNS) is an essential component of the Internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. We believe that a domain that is related to malicious domains is more likely to be malicious as well and therefore detecting malicious domains using the DNS network topology is a key challenge.
In this work we improve the flow model presented by Mishsky et al.  for computing the reputation of domains. This flow model is applied on a graph of domains and IPs and propagates their reputation scores through the edges that connect them to express the impact of malicious domains on related domains. We propose the use of clustering to guide the flow of reputation in the graph and examine two different clustering methods to identify groups of domains and IPs that are strongly related. The flow algorithms use these groups to emphasize the influence of nodes within the same cluster on each other. We evaluate the algorithms using a large database received from a commercial company. The experimental evaluation of our work have shown the expected improvement over previous work  in detecting malicious domains.
KeywordsFlow Algorithm Domain Name System Categorical Cluster Inside Edge Reputation Score
This research was supported in part by the Lynn and William Frankel Center for Computer Sciences at Ben-Gurion University, Israel, and we like to thank them for their support. We also thank the reviewers for very useful comments.
- 1.Alexa. The web information company (2014). https://www.alexa.com/
- 2.Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)Google Scholar
- 3.Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive DNS analysis. In: NDSS (2011)Google Scholar
- 4.Blondel, V.D., Guillaume, J.-L., Lambiotte, R., Lefebvre, E.: Fast unfolding of community hierarchies in large networks. CoRR, abs/0803.0476 (2008)Google Scholar
- 7.Cyren. The web information company (2016). http://www.cyren.com/
- 8.Dambella. The web information company (2016). https://www.damballa.com
- 11.Kamvar, S.D., Schlosser, M.T., Garcia-Molina, H.: The Eigentrust algorithm for reputation management in p2p networks. In: Proceedings of the 12th International Conference on World Wide Web, pp. 640–651. ACM (2003)Google Scholar
- 13.Page, L., Brin, S., Motwani, R., Winograd, T.: The pagerank citation ranking: Bringing order to the web (1999)Google Scholar
- 14.Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Sec. Comput. 9(5), 714–726 (2012)Google Scholar
- 15.Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015, Rio de Janeiro, Brazil, 22–25 June 2015, pp. 403–414 (2015)Google Scholar
- 16.Stinson, E., Mitchell, J.C.: Towards systematic evaluation of the evadability of bot/botnet detection methods. In: Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies, WOOT 2008, Berkeley, CA, USA, pp. 5:1–5:9. USENIX Association (2008)Google Scholar
- 17.Villamarín-Salomón, R., Brustoloni, J.C.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: 2008 5th IEEE Consumer Communications and Networking Conference, CCNC 2008, pp. 476–481. IEEE (2008)Google Scholar
- 18.Villamarín-Salomón, R., Brustoloni, J.C.: Bayesian bot detection based on DNS traffic similarity. In: Proceedings of the 2009 ACM Symposium on Applied Computing, pp. 2035–2041. ACM (2009)Google Scholar
- 19.VirusTotal. A free virus, malware and URL online scanning service (2014). https://www.virustotal.com/
- 20.Xu, W., Sanders, K., Zhang, Y.: We know it before you do: predicting malicious domains. In: Virus Bulletin Conference (2014)Google Scholar
- 21.Whois. IP data (2014). https://who.is/