IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files

David Lazar, Yakov Shay-El Cohen, Alon Freund, Avishay Bartik, Aviv Ron

Research output: Contribution to journalArticlepeer-review

Abstract

Cyber attacks have become more sophisticated and frequent over the years. Detecting the components operated during a cyber attack and relating them to a specific threat actor is one of the main challenges facing cyber security systems. Reliable detection of malicious components and identification of the threat actor is imperative to mitigate security issues by Security Operations Center (SOC) analysts. The Domain Name System (DNS) plays a significant role in most cyber attacks observed nowadays in that domains act as a Command and Control (C&C) in coordinated bot network attacks or impersonate legitimate websites in phishing attacks. Thus, DNS analysis has become a popular tool for malicious domain identification. In this collaborative research associating Ben-Gurion University and IBM, we develop a novel algorithm to detect malicious domains and relate them to a specific malware campaign in a large-scale real-data DNS traffic environment, dubbed Identification of Malicious Domain Campaigns (IMDoC) algorithm. Its novelty resides in developing a framework that combines the existence of communicating files for the observed domains and their DNS request patterns in a real production environment. The analysis was conducted on real data from Quad9 (9.9.9.9) DNS recursive resolvers combined with malicious communicating files extracted from VirusTotal, and confirms the strong performance of the algorithm on a real large-scale data production environment.

Original languageEnglish
JournalIEEE Access
DOIs
StateAccepted/In press - 1 Jan 2021

Keywords

  • clustering methods
  • Cyber security
  • detection algorithms
  • domain name system (DNS)
  • IP networks
  • Malware
  • Prediction algorithms
  • Production
  • Reliability
  • Security
  • Servers

Fingerprint

Dive into the research topics of 'IMDoC: Identification of Malicious Domain Campaigns via DNS and Communicating Files'. Together they form a unique fingerprint.

Cite this