DomainObserver: A Lightweight Solution for Detecting Malicious Domains Based on Dynamic Time Warping

  • Guolin Tan
  • Peng Zhang
  • Qingyun Liu
  • Xinran Liu
  • Chunge Zhu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10860)


People use the Internet to shop, access information and enjoy entertainment by browsing web sites. At the same time, cyber-criminals operate malicious domains to spread illegal content, which poses a great risk to the security of cyberspace. Therefore, it is of great importance to detect malicious domains in the field of cyberspace security. Typically, there are broad research focusing on detecting malicious domains either by blacklist or learning the features. However, the former is infeasible due to its unpredictability of unknown malicious domains, and the later requires complex feature engineering. Different from most of previous methods, in this paper, we propose a novel lightweight solution named DomainObserver to detect malicious domains. Our technique of DomainObserver is based on dynamic time warping that is used to better align the time series. To the best of our knowledge, it is a new trial to apply passive traffic measurements and time series data mining to malicious domain detection. Extensive experiments on real datasets are performed to demonstrate the effectiveness of our proposed method.


Malicious domain Detection Passive traffic Time series Dynamic time warping 



The author gratefully acknowledges support from National Key R&D Program 2016 (Grant No. 2016YFB0801300), National Natural Science Foundation of China (No. 61402464), and Youth Innovation Promotion Association CAS. And we also want to thank the anonymous reviewers for the valuable comments.


  1. 1.
    Alexa: Alexa top 1m. Accessed 7 Nov 2017
  2. 2.
    Antivirus: Network Security Threat Information Sharing Platform.
  3. 3.
    Baidu: Baidu Website Security Detection Platform.
  4. 4.
    Berndt, D.J., Clifford, J.: Using dynamic time warping to find patterns in time series. In: KDD Workshop, Seattle, WA, vol. 10, pp. 359–370 (1994)Google Scholar
  5. 5.
    Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)CrossRefGoogle Scholar
  6. 6.
    Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13(1), 21–27 (1967)CrossRefGoogle Scholar
  7. 7.
    Duffield, N.: Sampling for passive internet measurement: a review. Stat. Sci. 472–498 (2004)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Faloutsos, C., Ranganathan, M., Manolopoulos, Y.: Fast subsequence matching in time-series databases. In: SIGMOD 1994. Citeseer (1994)CrossRefGoogle Scholar
  9. 9.
    Grabocka, J., Schilling, N., Wistuba, M., Schmidt-Thieme, L.: Learning time-series shapelets. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 392–401. ACM (2014)Google Scholar
  10. 10.
    Kuyama, M., Kakizaki, Y., Sasaki, R.: Method for detecting a malicious domain by using WHOIS and DNS features. In: Third International Conference on Digital Security and Forensics (DigitalSec2016), p. 74 (2016)Google Scholar
  11. 11.
    Malware: Malware Domain Block List.
  12. 12.
    Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 1–18. Springer, Cham (2014). Scholar
  13. 13.
    Nepali, R.K., Wang, Y.: You look suspicious!!: leveraging visible attributes to classify malicious short URLs on Twitter. In: 2016 49th Hawaii International Conference on System Sciences (HICSS), pp. 2648–2655. IEEE (2016)Google Scholar
  14. 14.
    OpenDNS: Phishtank.
  15. 15.
    Qihu 360: 360 Fraud Reporting Center.
  16. 16.
    Sahoo, D., Liu, C., Hoi, S.C.: Malicious URL detection using machine learning: a survey. arXiv preprint arXiv:1701.07179 (2017)
  17. 17.
    Sun, B., Akiyama, M., Yagi, T., Hatada, M., Mori, T.: Autoblg: automatic URL blacklist generator using search space expansion and filters. In: 2015 IEEE Symposium on Computers and Communication (ISCC), pp. 625–631. IEEE (2015)Google Scholar
  18. 18.
    Wang, X., Mueen, A., Ding, H., Trajcevski, G., Scheuermann, P., Keogh, E.: Experimental comparison of representation methods and distance measures for time series data. Data Min. Knowl. Discov. 26, 1–35 (2013)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Wang, Y.: Cai, W.d., Wei, P.c.: A deep learning approach for detecting malicious Javascript code. Secur. Commun. Netw. 9(11), 1520–1534 (2016)CrossRefGoogle Scholar
  20. 20.
    Zhang, J., Porras, P.A., Ullrich, J.: Highly predictive blacklisting. In: USENIX Security Symposium, pp. 107–122 (2008)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Guolin Tan
    • 1
    • 2
  • Peng Zhang
    • 2
  • Qingyun Liu
    • 2
  • Xinran Liu
    • 3
  • Chunge Zhu
    • 3
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  3. 3.National Computer Network Emergency Response and Coordination CenterBeijingChina

Personalised recommendations