How to Detect Benign Domains Based on “Lonesome” DNS Traffic

摘要

There is a fatal weakness in lots of previous domain classification methods based on DNS traffic. Almost all of the previous methods must get many duplicate domains' information in their DNS traffic for extracting statistical features. However, there are lots of domains that appear only few times in the DNS traffic (e.g. newly registered domains). This leads to the detection difficulty using previous domain detection methods. In this paper, we first define a new term, "lonesome" DNS traffic, which only has few duplicate domain request records and whose period is quite short. And then, we conduct experiments based on real-world lonesome DNS traffic to explore which features are the most effective for detecting benign domains based on lonesome DNS traffic and the corresponding suitable machine learning method in this situation. The average AUC reaches 95.64% and the average false positive rate is 0.542%.