TY - GEN
T1 - Advanced flow models for computing the reputation of internet domains
AU - Othman, Hussien
AU - Gudes, Ehud
AU - Gal-Oz, Nurit
N1 - Publisher Copyright:
© IFIP International Federation for Information Processing 2017.
PY - 2017/1/1
Y1 - 2017/1/1
N2 - The Domain Name System (DNS) is an essential component of the Internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. We believe that a domain that is related to malicious domains is more likely to bemalicious as well and therefore detecting malicious domains using the DNS network topology is a key challenge. In this work we improve the flow model presented by Mishsky et al. [12] for computing the reputation of domains. This flow model is applied on a graph of domains and IPs and propagates their reputation scores through the edges that connect them to express the impact of malicious domains on related domains. We propose the use of clustering to guide the flow of reputation in the graph and examine two different clustering methods to identify groups of domains and IPs that are strongly related. The flow algorithms use these groups to emphasize the influence of nodes within the same cluster on each other. We evaluate the algorithms using a large database received from a commercial company. The experimental evaluation of our work have shown the expected improvement over previous work [12] in detecting malicious domains.
AB - The Domain Name System (DNS) is an essential component of the Internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. We believe that a domain that is related to malicious domains is more likely to bemalicious as well and therefore detecting malicious domains using the DNS network topology is a key challenge. In this work we improve the flow model presented by Mishsky et al. [12] for computing the reputation of domains. This flow model is applied on a graph of domains and IPs and propagates their reputation scores through the edges that connect them to express the impact of malicious domains on related domains. We propose the use of clustering to guide the flow of reputation in the graph and examine two different clustering methods to identify groups of domains and IPs that are strongly related. The flow algorithms use these groups to emphasize the influence of nodes within the same cluster on each other. We evaluate the algorithms using a large database received from a commercial company. The experimental evaluation of our work have shown the expected improvement over previous work [12] in detecting malicious domains.
UR - http://www.scopus.com/inward/record.url?scp=85020498910&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-59171-1_10
DO - 10.1007/978-3-319-59171-1_10
M3 - Conference contribution
AN - SCOPUS:85020498910
SN - 9783319591704
T3 - IFIP Advances in Information and Communication Technology
SP - 119
EP - 134
BT - Trust Management XI - 11th IFIP WG 11.11 International Conference, IFIPTM 2017, Proceedings
A2 - Steghofer, Jan-Philipp
A2 - Esfandiari, Babak
PB - Springer New York LLC
T2 - 11th IFIP WG 11.11 International Conference on Trust Management, IFIPTM 2017
Y2 - 12 June 2017 through 16 June 2017
ER -