Detecting Stealthy Malicious Domains via Graph Inferences

Connecting all the domains in the world and propagating labels across the graph to detect new malicious domains!

Why detect malicious domains?

As you probably know many infections in the Internet happen due to accessing malicious domains. Take phishing for example — there is a web server (e.g.: apple-id-phishing.com) serving real looking fake pages of a reputed website such as Paypal or Apple. You go ahead and type your Paypal or Apple username and password in that fake web page. Instead of request going to real Paypal or Apple servers, your credentials get into the hands of attackers.

Further, malicious domains are the key infrastructure used by Internet miscreants to launch sophisticated attacks. Take APTs (advanced persistent threats) for example. After the initial penetration, APTs communicate with C2 (command and control) servers (e.g.: bot-controller.com). Mirai botnet [1,2], which turned IoT devices such as remote cameras and home routers into bots, used at least 67 C2 domains during the wide spread in 2016.

Many malicious domains are created each day. In order to evade detection, Internet miscreants take advantage of DNS infrastructure to create disposable domains. While it is cheaper to create disposable domains, it is expensive to own other Internet resources such as IPs. By changing their network associations, these miscreants stay under the radar of the detection systems in place and also resist take down efforts.