Skip to main content
SpringerLink
Log in

Malicious Domain Name Detection Based on Extreme Machine Learning

  • Published:
Neural Processing Letters Aims and scope Submit manuscript

Abstract

Malicious domain detection is one of the most effective approaches applied in detecting Advanced Persistent Threat (APT), the most sophisticated and stealthy threat to modern network. Domain name analysis provides security experts with insights to identify the Command and Control (C&C) communications in APT attacks. In this paper, we propose a machine learning based methodology to detect malware domain names by using Extreme Learning Machine (ELM). ELM is a modern neural network with high accuracy and fast learning speed. We apply ELM to classify domain names based on features extracted from multiple resources. Our experiment reveals the introduced detection method is able to perform high detection rate and accuracy (of more than 95%). The fast learning speed of our ELM based approach is also demonstrated by a comparative experiment. Hence, we believe our method using ELM is both effective and efficient to identify malicious domains and therefore enhance the current detection mechanism of APT attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. Ghafir I, Prenosil V (2014) Advanced persistent threat attack detection: an overview. Int J Adv Comput Netw Secur 4:50–54

    Google Scholar 

  2. Li M, Huang W, Wang Y, Fan W, Li J (2016) The study of APT attack stage model. In: 2016 IEEE/ACIS 15th international conference on computer and information science (ICIS), pp 1–5

  3. Li F APT attribution and DNS profiling. http://www.blackhat.com/docs/us-14/materials/us-14-Li-APT-Attribution-And-DNS-Profiling-WP.pdf

  4. Soltani S, Seno SAH, Nezhadkamali M, Budiarto R (2014) A survey on real world botnets and detection mechanisms. Int J Inf Netw Secur 3:116–127

    Google Scholar 

  5. Grill M, Nikolaev I, Valeros V, Rehak M (2015) Detecting DGA malware using NetFlow. In: 2015 IFIP/IEEE international symposium on integrated network management (IM). IEEE, pp 1304–1309

  6. Sato K, Ishibashi K, Toyono T, Miyake N (2012) Extending black domain name list by using co-occurrence relation between DNS queries. IEICE Trans Commun 95:794–802

    Article  Google Scholar 

  7. Zhang S (2014) Detecting malware domains on DNS traffic. Master Thesis, Shanghai Jiaotong University

  8. Shi L, Lin D, Fang CV, Zhai Y (2015) A hybrid learning from multi-behavior for malicious domain detection on enterprise network. In: 2015 IEEE international conference on data mining workshop (ICDMW). pp 987–996

  9. Gao Y, Zhen Y, Li H, Chua TS (2016) Filtering of brand-related microblogs using social-smooth multiview embedding. IEEE Trans Multimed 18:2115–2126

    Article  Google Scholar 

  10. Manadhata PK, Yadav S, Rao P, Horne W (2014) Detecting malicious domains via graph inference. In: European symposium on research in computer security. Springer, pp 1–18

  11. Lee J, Lee H (2014) GMAD: graph-based malware activity detection by DNS traffic analysis. Comput Commun 49:33–47

    Article  Google Scholar 

  12. Chau DH, Nachenberg C, Wilhelm J, Wright A, Faloutsos C (2010) Polonium: Tera-scale graph mining for malware detection. In: Acm sigkdd conference on knowledge discovery and data mining

  13. Gao Y, Zhang H, Zhao X, Yan S (2017) Event classification in microblog via social tracking. ACM Trans Intell Syst Technol 8:1–14

    Article  Google Scholar 

  14. Ding G, Guo Y, Zhou J, Gao Y (2016) Large-scale cross-modality search via collective matrix factorization hashing. IEEE Trans Image Process 25:5427–5440

    Article  MathSciNet  Google Scholar 

  15. Mashechkin IV, Petrovskii MI, Tsarev DV (2016) Machine learning methods for analyzing user behavior when accessing text data in information security problems. Mosc Univ Comput Math Cybern 40:179–184

    Article  MathSciNet  Google Scholar 

  16. Futai Z, Siyu Z, Weixiong R (2013) Hybrid detection and tracking of fast-flux botnet on domain name system traffic. China Commun 10:81–94

    Article  Google Scholar 

  17. Bilge L, Kirda E, Kruegel C, Balduzzi M (2011) EXPOSURE: finding malicious domains using passive DNS analysis. In: Network and distributed system security symposium

  18. Amini P, Azmi R, Araghizadeh M (2014) Botnet detection using NetFlow and clustering. Adv Comput Sci Int J 3:139–149

    Google Scholar 

  19. Yu X, Zhang B, Kang L, Chen J (2012) Fast-flux botnet detection based on weighted svm. Inf Technol J 11:1048–1055

    Article  Google Scholar 

  20. Lasota K, Kozakiewicz A (2011) Analysis of the similarities in malicious DNS domain names. In: International conference on secure and trust computing, data management, and application, 1006

    Google Scholar 

  21. Ma J, Saul LK, Savage S, Voelker GM (2009) Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD international conference on knowledge discovery and data mining, pp 1245–1254

  22. Shannon CE (2001) A mathematical theory of communication. ACM SIGMOBILE Mob Comput Commun Rev 5:3–55

    Article  Google Scholar 

  23. Passerini E, Paleari R, Martignoni L, Bruschi D (2008) Fluxor: detecting and monitoring fast-flux service networks. In: International conference on detection of intrusions and malware, and vulnerability assessment. pp 186–206

  24. Brisco T DNS support for load balancing. https://tools.ietf.org/html/rfc1794

  25. ICANN WHOIS: WHOIS Search. https://whois.icann.org/en

  26. Huang GB, Zhu QY, Siew CK (2006) Extreme learning machine: theory and applications. Neurocomputing 70:489–501

    Article  Google Scholar 

  27. Huang GB (2015) What are extreme learning machines? Filling the gap between Frank Rosenblatt’s dream and John von Neumann’s puzzle. Cogn Comput 7:263–278

    Article  Google Scholar 

  28. Website Traffic, Statistics and Analytics—Alexa. http://www.alexa.com/siteinfo

  29. Malicious Domain List. https://www.malwaredomainlist.com/

  30. PhishTank—Join the fight against phishing. http://www.alexa.com/

Download references

Author information

Authors and Affiliations

  1. School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, 800, Dongchuan Rd., Minhang District, Shanghai, 200240, People’s Republic of China

    Yong Shi, Gong Chen & Juntao Li

Authors
  1. Yong Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gong Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juntao Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gong Chen.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shi, Y., Chen, G. & Li, J. Malicious Domain Name Detection Based on Extreme Machine Learning. Neural Process Lett 48, 1347–1357 (2018). https://doi.org/10.1007/s11063-017-9666-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11063-017-9666-7

Keywords

Search

Navigation