Skip to main content
SpringerLink
Log in

An Analysis Method for Time-Based Features of Malicious Domains Based on Time Series Clustering

  • Conference paper
  • First Online:
Web Information Systems and Applications (WISA 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14094))

Included in the following conference series:

  • 545 Accesses

Abstract

Malicious domains are widely used in network attacks. As DNS traffic features related to domain access time, time-based features of domains can describe the regularity of malicious activities but cannot be circumvented by attackers. These features are commonly used in malicious domain detection. Traditional detection methods generally use static statistical values in analyzing time-based features, but they ignore the temporal regularity of the features, thus resulting in inaccurate feature extraction. In view of this, in this paper, we proposed an analysis method for time-based features of malicious domains based on time series clustering. Firstly, density clustering is used to divide time intervals of time series to preserve the integrity of consecutive requests of malicious domains. Secondly, multiple time-based features are selected to depict malicious activity patterns. Thirdly, dynamic time warping and hierarchical clustering are applied as series similarity measure and clustering method respectively. The proposed method explores malicious domains by analyzing the similarity of time-based features series of different domains. Experimental results show that compared with the detection method using static statistical values, the accuracy and precision in this method improves from 88.49% to 96.30% and from 59.21% to 92.43% respectively, which proves that it can help detect malicious domains effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Jiang, Y., Di, W.: An integrated Chinese malicious webpages detection method based on pre-trained language models and feature fusion. In: Zhao, X., Yang, S., Wang, X., Li, J. (eds.) Web Information Systems and Applications: 19th International Conference, WISA 2022, Dalian, China, September 16–18, 2022, Proceedings, pp. 155–167. Springer International Publishing, Cham (2022). https://doi.org/10.1007/978-3-031-20309-1_14

    Chapter  Google Scholar 

  2. Plohmann, D., Yakdan, K., Klatt, M., et al.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium, pp. 263–278 (2016)

    Google Scholar 

  3. Almomani, A.: Fast-flux hunter: a system for filtering online fast-flux botnet. Neural Comput. Appl. 29(7), 483–493 (2016). https://doi.org/10.1007/s00521-016-2531-1

    Article  Google Scholar 

  4. Iwahana, K., Takemura, T., Cheng, J., et al.: MADMAX: browser-based malicious domain detection through extreme learning machine. IEEE Access 9, 78293–78314 (2021)

    Article  Google Scholar 

  5. Woodbridge, J., Anderson, H., Ahuja, A., et al.: Predicting domain generation algorithms with long short-term memory networks. ArXiv 1611.00791 (2016)

    Google Scholar 

  6. Saxe, J., Berlin, K.: eXpose: a character-level convolutional neural network with embeddings for detecting malicious urls, file paths and registry keys. ArXiv 1702.08568 (2017)

    Google Scholar 

  7. Liang, Z., Zang, T., Zeng, Y.: Malportrait: sketch malicious domain portals based on passive DNS data. In: IEEE Wireless Communications and Networking Conference (2020)

    Google Scholar 

  8. Han, C., Zhang, Y., Zhang, Y.: Fast flucos: malicious domain name detection method for fast flux based on DNS traffic. J. Commun. 41(5), 37–47 (2020)

    MathSciNet  Google Scholar 

  9. Zhang, S., Zhou, Z., Li, D., et al.: Attributed heterogeneous graph neural network for malicious domain. In: 24th International Conference on Computer Supported Cooperative Work in Design, pp. 397–403 (2021)

    Google Scholar 

  10. Bilge, L., Sen, S., Balzarotti, D., et al.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. 16(4), 1–28 (2014). https://doi.org/10.1145/2584679

    Article  Google Scholar 

  11. Li, M., Li, Q., Xuan, G., et al.: Identifying compromised hosts under apt using DNS request sequences. J. Parallel Distrib. Comput. 152, 67–78 (2021)

    Article  Google Scholar 

  12. Lazar, D., Cohen, K., Freund, A., et al.: IMDoC: identification of malicious domain campaigns via DNS and communicating files. IEEE Access 9, 45242–45258 (2021)

    Article  Google Scholar 

  13. Niu, W., Xiao, J., Zhang, X., et al.: Malware on internet of UAVs detection combining string matching and fourier transformation. IEEE Internet Things J. 8(12), 9905–9919 (2021)

    Article  Google Scholar 

  14. Tomatsuri, T., Chiba, D., Akiyama, M., et al.: Time-series measurement of parked domain names and their malicious uses. IEICE Trans. Commun. E104B(7), 770–780 (2021)

    Article  Google Scholar 

  15. Aghabozorgi, S., Shirkhorshidi, A.S., Wah, T.Y.: Time-series clustering – A decade review. Inf. Syst. 53(16), 16–38 (2015)

    Article  Google Scholar 

  16. Zhu, D., Li, Z., Hu, P., et al.: Improved DBSCAN algorithm based on relative mass of the data field. In: Proceedings of SPIE - The International Society for Optical Engineering, p. 12168 (2022)

    Google Scholar 

  17. Alaee, S., Mercer, R., Kamgar, K., et al.: Time series motifs discovery under DTW allows more robust discovery of conserved structure. Data Min. Knowl. Disc. 35(3), 863–910 (2021)

    Article  MathSciNet  MATH  Google Scholar 

  18. Ran, X., Xi, Y., Lu, Y., et al.: Comprehensive survey on hierarchical clustering algorithms and the recent developments. Artif. Intell. Rev. 56(8), 8219–8264 (2023)

    Article  Google Scholar 

  19. NetLab DGA project: http://data.netlab.360.com/dga/. Last accessed 2 May 2023

  20. Alexa's top ranked web sites: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. Last accessed 2 May 2023

  21. Virustotal: https://www.virustotal.com/. Last accessed 2 May 2023

Download references

Acknowledgement

This work was supported by National Key R&D Program of China (2020YFB1805601) and the Research and Planning Project for Higher Education Science of China Association of Higher Education (22XX0403). The computing work in this paper was supported by the Public Service Platform of High Performance Computing by Network & Computation Center of HUST.

Author information

Authors and Affiliations

  1. Network and Computation Center, Huazhong University of Science and Technology, Wuhan, China

    Gezhi Yan, Jianke Hong, Lian Liu & Lijuan Zhou

  2. Network and Informatization Office, Huazhong University of Science and Technology, Wuhan, China

    Kunmei Wen

Authors
  1. Gezhi Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kunmei Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianke Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lian Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lijuan Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kunmei Wen .

Editor information

Editors and Affiliations

  1. Nanjing University of Science and Technology, Nanjing, China

    Long Yuan

  2. Guangzhou University, Guangzhou, China

    Shiyu Yang

  3. Huazhong University of Science and Technology, Wuhan, China

    Ruixuan Li

  4. University of Amsterdam, Amsterdam, The Netherlands

    Evangelos Kanoulas

  5. National University of Defense Technology, Changsha, China

    Xiang Zhao

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yan, G., Wen, K., Hong, J., Liu, L., Zhou, L. (2023). An Analysis Method for Time-Based Features of Malicious Domains Based on Time Series Clustering. In: Yuan, L., Yang, S., Li, R., Kanoulas, E., Zhao, X. (eds) Web Information Systems and Applications. WISA 2023. Lecture Notes in Computer Science, vol 14094. Springer, Singapore. https://doi.org/10.1007/978-981-99-6222-8_29

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-6222-8_29

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-6221-1

  • Online ISBN: 978-981-99-6222-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation