A Malicious Domains Detection Method Based on File Sandbox Traffic

Daojing He; Jiayu Dai; Hongjie Gu; Shanshan Zhu; Sammy Chan; Jingyong Su; Mohsen Guizani

doi:10.1109/MNET.127.2200280

A Malicious Domains Detection Method Based on File Sandbox Traffic

Daojing He^*, Jiayu Dai, Hongjie Gu, Shanshan Zhu, Sammy Chan, Jingyong Su, Mohsen Guizani

^*Corresponding author for this work

Department of Electrical Engineering

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

1 Citation (Scopus)

Abstract

With the recent increasing number of malicious cyber activities using domain names as attack vectors, malicious domains must be detected and blocked in order to combat cyber attackers. However, current studies of malicious domains detection are limited to Domain Name System (DNS) traffic features or character features, which ignore the associations of malware and malicious domains in the detection. In this paper, we propose a malicious domains detection approach based on domain relationship features extracted from real sandbox traffic. We construct heterogeneous graphs based on sandbox traffic and use the Relational Graph Convolutional Network (RGCN) to build detection models to extract inter-node relationship features. Experiments are conducted using data extracted from real sandbox traffic, and our approach achieves an accuracy of 87.11%. The experimental results demonstrate the effectiveness of using relationship features extracted from sandbox traffic for malicious domains detection. © 2022 IEEE.

Original language	English
Pages (from-to)	182-188
Number of pages	7
Journal	IEEE Network
Volume	37
Issue number	6
Online published	25 Oct 2022
DOIs	https://doi.org/10.1109/MNET.127.2200280
Publication status	Published - Nov 2023

Research Keywords

Blocklists
Data mining
Feature extraction
IP networks
Task analysis
Uniform resource locators
Viruses (medical)
Malicious domains detection
Heterogeneous information network
Relational graph convolutional network
Sandbox traffic

Access Output

10.1109/MNET.127.2200280

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{3f9cf44d409946dc9c1ae487f7b17f5f,

title = "A Malicious Domains Detection Method Based on File Sandbox Traffic",

abstract = "With the recent increasing number of malicious cyber activities using domain names as attack vectors, malicious domains must be detected and blocked in order to combat cyber attackers. However, current studies of malicious domains detection are limited to Domain Name System (DNS) traffic features or character features, which ignore the associations of malware and malicious domains in the detection. In this paper, we propose a malicious domains detection approach based on domain relationship features extracted from real sandbox traffic. We construct heterogeneous graphs based on sandbox traffic and use the Relational Graph Convolutional Network (RGCN) to build detection models to extract inter-node relationship features. Experiments are conducted using data extracted from real sandbox traffic, and our approach achieves an accuracy of 87.11%. The experimental results demonstrate the effectiveness of using relationship features extracted from sandbox traffic for malicious domains detection. {\textcopyright} 2022 IEEE.",

keywords = "Blocklists, Data mining, Feature extraction, IP networks, Task analysis, Uniform resource locators, Viruses (medical), Malicious domains detection, Heterogeneous information network, Relational graph convolutional network, Sandbox traffic",

author = "Daojing He and Jiayu Dai and Hongjie Gu and Shanshan Zhu and Sammy Chan and Jingyong Su and Mohsen Guizani",

year = "2023",

month = nov,

doi = "10.1109/MNET.127.2200280",

language = "English",

volume = "37",

pages = "182--188",

journal = "IEEE Network",

issn = "0890-8044",

publisher = "IEEE",

number = "6",

}

TY - JOUR

T1 - A Malicious Domains Detection Method Based on File Sandbox Traffic

AU - He, Daojing

AU - Dai, Jiayu

AU - Gu, Hongjie

AU - Zhu, Shanshan

AU - Chan, Sammy

AU - Su, Jingyong

AU - Guizani, Mohsen

PY - 2023/11

Y1 - 2023/11

N2 - With the recent increasing number of malicious cyber activities using domain names as attack vectors, malicious domains must be detected and blocked in order to combat cyber attackers. However, current studies of malicious domains detection are limited to Domain Name System (DNS) traffic features or character features, which ignore the associations of malware and malicious domains in the detection. In this paper, we propose a malicious domains detection approach based on domain relationship features extracted from real sandbox traffic. We construct heterogeneous graphs based on sandbox traffic and use the Relational Graph Convolutional Network (RGCN) to build detection models to extract inter-node relationship features. Experiments are conducted using data extracted from real sandbox traffic, and our approach achieves an accuracy of 87.11%. The experimental results demonstrate the effectiveness of using relationship features extracted from sandbox traffic for malicious domains detection. © 2022 IEEE.

AB - With the recent increasing number of malicious cyber activities using domain names as attack vectors, malicious domains must be detected and blocked in order to combat cyber attackers. However, current studies of malicious domains detection are limited to Domain Name System (DNS) traffic features or character features, which ignore the associations of malware and malicious domains in the detection. In this paper, we propose a malicious domains detection approach based on domain relationship features extracted from real sandbox traffic. We construct heterogeneous graphs based on sandbox traffic and use the Relational Graph Convolutional Network (RGCN) to build detection models to extract inter-node relationship features. Experiments are conducted using data extracted from real sandbox traffic, and our approach achieves an accuracy of 87.11%. The experimental results demonstrate the effectiveness of using relationship features extracted from sandbox traffic for malicious domains detection. © 2022 IEEE.

KW - Blocklists

KW - Data mining

KW - Feature extraction

KW - IP networks

KW - Task analysis

KW - Uniform resource locators

KW - Viruses (medical)

KW - Malicious domains detection

KW - Heterogeneous information network

KW - Relational graph convolutional network

KW - Sandbox traffic

UR - http://www.scopus.com/inward/record.url?scp=85141534936&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85141534936&origin=recordpage

U2 - 10.1109/MNET.127.2200280

DO - 10.1109/MNET.127.2200280

M3 - RGC 21 - Publication in refereed journal

SN - 0890-8044

VL - 37

SP - 182

EP - 188

JO - IEEE Network

JF - IEEE Network

IS - 6

ER -

A Malicious Domains Detection Method Based on File Sandbox Traffic

Abstract

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

GRF: Massive Access over an OFDM Platform

Cite this

A Malicious Domains Detection Method Based on File Sandbox Traffic

Abstract

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Projects

GRF: Massive Access over an OFDM Platform

Cite this