Title: Method for Detecting a Malicious Domain by using only Well-known Information

Issue Number: Vol. 5, No. 4
Year of Publication: Nov - 2016
Page Numbers: 166-174
Authors: Masahiro Kuyama, Yoshio Kakizaki, Ryoichi Sasaki
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P002212


Damage caused by targeted attacks is a serious problem. It is not enough to prevent only the initial infections, because techniques for targeted attacks have become more sophisticated every year, especially attacks seeking to illegally acquire confidential information. In a targeted attack, the attacker wants to hide the C&C server so that it cannot be detected. Therefore, the C&C server may not be found by a web search engine. We pay attention to this lack of detection and the results of a web search engine. In this study, we propose a method for identifying the C&C server by using supervised machine learning and feature points obtained from WHOIS, DNS and search sites for domains of C&C servers and normal domains. Moreover, we conduct an experiment that applies real data, and we verify the usefulness of our method by cross-validation. The results indicated that we could obtain a high detection rate of about 99.3%.