Abstract
As Domain Name System (DNS) provides flexibility and robustness in communications of hosts on Internet, not only legitimate users but also attackers often take advantages of it. If we know how attackers are managing their malicious domains with authoritative name servers, there is a possibility to detect not only malicious domains but also malicious authoritative name servers. In this study, we present a novel method for detecting malicious “domains” (noted as d) and malicious “authoritative name servers” (noted as ns-d) based on their distinct mappings to “IP addresses” (noted as IP). Namely, we present three features to detect them; 1) Single ns-d is mapped to many IP, 2) Single IP is mapped to many ns-d, and 3) Single IP is mapped to both ns-d and d. We evaluate proposed method in terms of accuracy and coverage in detection of malicious d and ns-d. The evaluation shows that our detection method can achieve significantly low false positive rate in detecting both malicious d and ns-d without relying on any previous knowledge, such as blacklists or whitelists.
