Detecting malicious domains with probabilistic threat propagation on DNS graph

Yuta Kazato, Toshiharu Sugawara, Kensuke Fukuda

    Research output: Contribution to journalArticle

    Abstract

    This paper proposes a method to estimate malicious domain names from a large scale DNS query response dataset. The key idea of the work is to leverage the use of DNS graph that is a bipartite graph consisting of domain names and corresponding IP addresses. We apply a concept of Probabilistic Threat Propagation (PTP) on the graph with a set of predefined benign and malicious node to a DNS graph obtained from DNS queries at a backbone link. The performance of our proposed method (EPTP) outperformed that of an original PTP method (9% improved) and that of a traditional method using N-gram (40% improved) in an ROC analysis. We finally estimated 2,170 of new malicious domain names with EPTP.

    Original languageEnglish
    Pages (from-to)16-28
    Number of pages13
    JournalComputer Software
    Volume33
    Issue number3
    Publication statusPublished - 2016

    ASJC Scopus subject areas

    • Software

    Cite this

    Detecting malicious domains with probabilistic threat propagation on DNS graph. / Kazato, Yuta; Sugawara, Toshiharu; Fukuda, Kensuke.

    In: Computer Software, Vol. 33, No. 3, 2016, p. 16-28.

    Research output: Contribution to journalArticle

    @article{a9a2653c000e465fbadf4bf16cda7fe0,
    title = "Detecting malicious domains with probabilistic threat propagation on DNS graph",
    abstract = "This paper proposes a method to estimate malicious domain names from a large scale DNS query response dataset. The key idea of the work is to leverage the use of DNS graph that is a bipartite graph consisting of domain names and corresponding IP addresses. We apply a concept of Probabilistic Threat Propagation (PTP) on the graph with a set of predefined benign and malicious node to a DNS graph obtained from DNS queries at a backbone link. The performance of our proposed method (EPTP) outperformed that of an original PTP method (9{\%} improved) and that of a traditional method using N-gram (40{\%} improved) in an ROC analysis. We finally estimated 2,170 of new malicious domain names with EPTP.",
    author = "Yuta Kazato and Toshiharu Sugawara and Kensuke Fukuda",
    year = "2016",
    language = "English",
    volume = "33",
    pages = "16--28",
    journal = "Computer Software",
    issn = "0289-6540",
    publisher = "Japan Society for Software Science and Technology",
    number = "3",

    }

    TY - JOUR

    T1 - Detecting malicious domains with probabilistic threat propagation on DNS graph

    AU - Kazato, Yuta

    AU - Sugawara, Toshiharu

    AU - Fukuda, Kensuke

    PY - 2016

    Y1 - 2016

    N2 - This paper proposes a method to estimate malicious domain names from a large scale DNS query response dataset. The key idea of the work is to leverage the use of DNS graph that is a bipartite graph consisting of domain names and corresponding IP addresses. We apply a concept of Probabilistic Threat Propagation (PTP) on the graph with a set of predefined benign and malicious node to a DNS graph obtained from DNS queries at a backbone link. The performance of our proposed method (EPTP) outperformed that of an original PTP method (9% improved) and that of a traditional method using N-gram (40% improved) in an ROC analysis. We finally estimated 2,170 of new malicious domain names with EPTP.

    AB - This paper proposes a method to estimate malicious domain names from a large scale DNS query response dataset. The key idea of the work is to leverage the use of DNS graph that is a bipartite graph consisting of domain names and corresponding IP addresses. We apply a concept of Probabilistic Threat Propagation (PTP) on the graph with a set of predefined benign and malicious node to a DNS graph obtained from DNS queries at a backbone link. The performance of our proposed method (EPTP) outperformed that of an original PTP method (9% improved) and that of a traditional method using N-gram (40% improved) in an ROC analysis. We finally estimated 2,170 of new malicious domain names with EPTP.

    UR - http://www.scopus.com/inward/record.url?scp=84990821934&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84990821934&partnerID=8YFLogxK

    M3 - Article

    AN - SCOPUS:84990821934

    VL - 33

    SP - 16

    EP - 28

    JO - Computer Software

    JF - Computer Software

    SN - 0289-6540

    IS - 3

    ER -