Malicious Domain Detection Based on Traffic Similarity
Abstract
Domain name system is an important resource in the Internet. Malicious domain detection techniques are used to find the malicious domains which are designed for malicious behaviors. The paper analyzes the existing malicious domain detection techniques and then proposes a new malicious domain detection technique based on traffic similarity. In this paper, we analyze the public botnet traffic dataset and get the DNS traffic pattern. We apply this pattern to spam as well. In this paper, we use normalized Fréchet distance to evaluate two traffic curves’ similarity. Our experiments over simulation botnet and spam network show that the proposed technique can achieve high true positive rates (94.3% in average) as we change the botnet connection frequency, DGA types and spam sent rules. The proposed technique provides a new idea for malicious domain detection.
Keywords
Malicious domain detection, traffic analysis, Fréchet distance, botnet, spam
DOI
10.12783/dtcse/cii2017/17282
10.12783/dtcse/cii2017/17282
Refbacks
- There are currently no refbacks.