A survey on malicious domains detection through DNS data analysis

Research output: Contribution to journalArticle

4 Citations (Scopus)

Abstract

Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysismethods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

Original languageEnglish
Article number3191329
JournalACM Computing Surveys
Volume51
Issue number4
DOIs
Publication statusPublished - 1 Jul 2018

Fingerprint

Data analysis
Life cycle
Internet
Attack
Evaluation
Life Cycle
Query
Metric
Resources
Necessary
Methodology

Keywords

  • Domain name system
  • Malicious domains detection

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

A survey on malicious domains detection through DNS data analysis. / Zhauniarovich, Yury; Khalil, Issa; Yu, Ting; Dacier, Marc.

In: ACM Computing Surveys, Vol. 51, No. 4, 3191329, 01.07.2018.

Research output: Contribution to journalArticle

@article{3adf9bec3a9c4c308e0dad4106188664,
title = "A survey on malicious domains detection through DNS data analysis",
abstract = "Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysismethods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.",
keywords = "Domain name system, Malicious domains detection",
author = "Yury Zhauniarovich and Issa Khalil and Ting Yu and Marc Dacier",
year = "2018",
month = "7",
day = "1",
doi = "10.1145/3191329",
language = "English",
volume = "51",
journal = "ACM Computing Surveys",
issn = "0360-0300",
publisher = "Association for Computing Machinery (ACM)",
number = "4",

}

TY - JOUR

T1 - A survey on malicious domains detection through DNS data analysis

AU - Zhauniarovich, Yury

AU - Khalil, Issa

AU - Yu, Ting

AU - Dacier, Marc

PY - 2018/7/1

Y1 - 2018/7/1

N2 - Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysismethods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

AB - Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysismethods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this article, we perform such an analysis. To achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

KW - Domain name system

KW - Malicious domains detection

UR - http://www.scopus.com/inward/record.url?scp=85053277779&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85053277779&partnerID=8YFLogxK

U2 - 10.1145/3191329

DO - 10.1145/3191329

M3 - Article

VL - 51

JO - ACM Computing Surveys

JF - ACM Computing Surveys

SN - 0360-0300

IS - 4

M1 - 3191329

ER -