Skip to main content
SpringerLink
Log in

HINCDG: Multi-Meta-Path Graph Auto-Encoders for Mining of Weak Association Malicious Domains

  • Conference paper
  • First Online:
Science of Cyber Security (SciSec 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13580))

Included in the following conference series:

  • 954 Accesses

Abstract

Due to the lack of interaction with other domain names or entities and the scarcity of access records, it is extremely challenging to detect malicious domain names in the early stages of the life cycle. The detection methods based on association relationships have high robustness and are difficult to escape. However, these related methods require a time window to accumulate relations. For the sparse of newly emerged DNS, it’s difficult to detect malicious domain names in its early life cycle. We regard the lack of initial association relationship of domain name nodes as a missing data problem. A variety of heterogeneous association relationships are extracted from the dynamic evolution graph of HINS containing structural neighbourhood information and temporal features, and then we randomly dropped out some meta-path domain name associations, construct missing initial associations, increase the ability to reason about missing associations, and improve the detection ability of newly emerging malicious domains with weak associations. The HINCDG has been evaluated in the ISP DNS traffic (one billion queries per hour), the experimental results (97% F1-Measure) illustrate the efficiency and accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 403–414. IEEE (2015)

    Google Scholar 

  2. DNS-BH (2019). http://www.malwaredomains.com/

  3. Khalil, I., Yu, T., Guan, B.: Discovering malicious domains through passive DNS data graph analysis. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 663–674 (2016)

    Google Scholar 

  4. Sun, J., Zhou, Y., Wang, S., et al.: FProbe: detecting stealthy DGA-based botnets by group activities analysis. In: 2020 IEEE 39th International Performance Computing and Communications Conference (IPCCC), pp. 1–8. IEEE (2020)

    Google Scholar 

  5. Schuppen, S., Teubert, D., Herrmann, P., Meyer, U.: FANCI: feature-based automated NXDomain classification and intelligence. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1165–1181 (2018)

    Google Scholar 

  6. Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX security symposium, vol. 12 (2012)

    Google Scholar 

  7. Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: USENIX Security Symposium, pp. 263–278 (2016)

    Google Scholar 

  8. Wang, T.-S., Lin, H.-T., Cheng, W.-T., Chen, C.-Y.: DBod: clustering and detecting DGA-based botnets using DNS traffic analysis. Comput. Secur. 64, 1–15 (2017)

    Article  Google Scholar 

  9. Sankar, A., Wu, Y., Gou, L., et al.: Dysat: deep neural representation learning on dynamic graphs via self-attention networks. In: Proceedings of the 13th International Conference on Web Search and Data Mining, pp. 519–527 (2020)

    Google Scholar 

  10. Zeustracker (2019). https://zeustracker.abuse.ch/blocklist.php

  11. Lee, J., Lee, H.: GMAD: graph-based malware activity detection by DNS traffic analysis. Comput. Commun. 49, 33–47 (2019). Malware Domain List (2019). http://www.malwaredomainlist.com/

  12. Gao, H., Yegneswaran, V., Jiang, J., et al.: Reexamining DNS from a global recursive resolver perspective. IEEE/ACM Trans. Netw. 24(1), 43–57 (2014)

    Article  Google Scholar 

  13. Porras, P., Saidi, H., Yegneswaran, V.: An analysis of conficker’s logic and rendezvous points. Computer Science Laboratory, SRI International, Technical Report, 36 (2009)

    Google Scholar 

  14. Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 1–18. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_1

    Chapter  Google Scholar 

  15. Malc0de.com (2019). https://malc0de.com/bl/ZONES

  16. Bilge, L., Kirda, E., Kruegel, C., et al.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS, pp. 1–17 (2011)

    Google Scholar 

  17. Yadav, S., Reddy, A.K.K., Reddy, A.L.N., et al.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 48–61 (2010)

    Google Scholar 

  18. Zhao, J., et al.: Intentgc: a scalable graph convolution framework fusing heterogeneous information for recommendation. In: Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 2347–2357 (2019)

    Google Scholar 

  19. Goyal, P., Ferrara, E.: Graph embedding techniques, applications, and performance: a survey. Knowl.-Based Syst. 151(2018), 78–94 (2018)

    Article  Google Scholar 

  20. Kendall, A., Gal, Y., Cipolla, R.: Multi-task learning using uncertainty to weigh losses for scene geometry and semantics. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 7482–7491 (2018)

    Google Scholar 

  21. Fan, S., et al.: Metapath-guided heterogeneous graph neural network for intent recommendation. In: Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 2478–2486 (2019)

    Google Scholar 

  22. Wang, X., et al.: Heterogeneous graph attention network. In: The World Wide Web Conference, pp. 2022–2032 (2019)

    Google Scholar 

  23. Zheng, J., Ma, Q., Gu, H., et al.: Multi-view denoising graph auto-encoders on heterogeneous information networks for cold-start recommendation. In: 27th KDD, pp. 2338–2348 (2021)

    Google Scholar 

  24. Sun, X., Tong, M., Yang, J., et al.: HinDom: a robust malicious domain detection system based on heterogeneous information network with transductive classification. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), pp. 399–412 (2021)

    Google Scholar 

Download references

Acknowledgments

We are grateful to the anonymous reviewers for their work and insightful feedback. This work was supported by the National Key Research and Development Program of China under Grant 2021YFB3101503.

Author information

Authors and Affiliations

  1. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Jiawei Sun, Junnan Yin, Qiang Qian, Junjiao Liu, Jun Li & Yong Wang

  2. Institute of Information Engineering, CAS, Beijing, China

    Jiawei Sun, Guangjun Wu, Junnan Yin, Qiang Qian, Junjiao Liu, Jun Li & Yong Wang

Authors
  1. Jiawei Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guangjun Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Junnan Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qiang Qian
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Junjiao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Guangjun Wu or Junnan Yin .

Editor information

Editors and Affiliations

  1. University of Aizu, Aizuwakamatsu, Fukushima, Japan

    Chunhua Su

  2. Kyushu University, Fukuoka, Japan

    Kouichi Sakurai

  3. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Feng Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sun, J. et al. (2022). HINCDG: Multi-Meta-Path Graph Auto-Encoders for Mining of Weak Association Malicious Domains. In: Su, C., Sakurai, K., Liu, F. (eds) Science of Cyber Security. SciSec 2022. Lecture Notes in Computer Science, vol 13580. Springer, Cham. https://doi.org/10.1007/978-3-031-17551-0_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17551-0_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17550-3

  • Online ISBN: 978-3-031-17551-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation