An Adaptive Malicious Domain Detection Mechanism with DNS Traffic

A domain in Internet represents an address where some services may be provided, and the domain providing malicious service, such as Botnet communication and nonexistent service etc., is called malicious. Once the security system cannot detect and block a family of malicious domain, they will soon flood the whole Internet with request and threaten the network security. Hence, the efficiency and accuracy are always used to evaluate malicious detection models. In this paper, a universal grammar structure detection model with the Markov chain is discussed, which has the benefit of flexibly extracting all kinds of grammar features. Moreover, this paper propose a hybrid malicious domain detection model with techniques of grammar structures and traffic temporal features. The detection backbone is a grammar structure based model which ensure the efficiency, meanwhile traffic temporal feature are timely extracted and used to train the backbone model. Given collected test sample sets and one-month campus network real-time traffic, the proposed model is verified through comparing with enterprise C&C detection tools. The experiment result show that the efficiency, accuracy and scalability all achieve much progress.