Abstract
Domain name system(DNS) is a basic part of the Internet infrastructure, but it is also abused by attackers in various cybercrimes, making the task of malicious domain detection increasingly important. Most of previous detection methods employ feature-based methods for malicious domain detection. However, the feature-based methods can be easily circumvented by attackers. To solve this issue, some recent researches utilize associations among domains to identify malicious domains, yet without jointly considering both local neighbor’s importance and global semantic information’s importance. In this paper, we present HANDom, a robust and accurate malicious detection system based on a heterogeneous graph attention network. In HANDom, we first model the DNS scene as a heterogeneous information network(HIN) including domains, clients, IP addresses and their relationships, to capture implicit relationships between domains. Then, we use a hierarchical attention mechanism to learn the importance of different neighbors based meta-path as well as the importance of different meta-paths to the current domain node. Extensive experiments are carried out on the real DNS dataset and results show that our system outperforms the state-of-the-art methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alexa top 1 million. https://aws.amazon.com/cn/alexa-top-sites/ (2022)
cybercrime. https://cybercrime-tracker.net/ (2022)
Malware domain block list. www.malwaredomains.com (2022)
Phishtank. www.phishtank.com (2022)
Virustotal. www.virustotal.com (2022)
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)
Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 1–28 (2014)
Dong, Y., Chawla, N.V., Swami, A.: metapath2vec: scalable representation learning for heterogeneous networks. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 135–144 (2017)
He, W., Gou, G., Kang, C., Liu, C., Li, Z., **ong, G.: Malicious domain detection via domain relationship and graph models. In: 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC), pp. 1–8. IEEE (2019)
Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. ar**v preprint ar**v:1609.02907 (2016)
Liu, Z., Li, S., Zhang, Y., Yun, X., Peng, C.: Ringer: systematic mining of malicious domains by dynamic graph convolutional network. In: Krzhizhanovskaya, V.V., et al. (eds.) ICCS 2020. LNCS, vol. 12139, pp. 379–398. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-50420-5_28
Peng, C., Yun, X., Zhang, Y., Li, S.: MalShoot: shooting malicious domains through graph embedding on passive DNS data. In: Gao, H., Wang, X., Yin, Y., Iqbal, M. (eds.) CollaborateCom 2018. LNICST, vol. 268, pp. 488–503. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12981-1_34
Perozzi, B., Al-Rfou, R., Skiena, S.: Deepwalk: online learning of social representations. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 701–710 (2014)
Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: \(\{\)FANCI\(\}\): feature-based automated nxdomain classification and intelligence. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1165–1181 (2018)
Sun, X., Tong, M., Yang, J., **nran, L., Heng, L.: Hindom: a robust malicious domain detection system based on heterogeneous information network with transductive classification. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (\(\{\)RAID\(\}\) 2019), pp. 399–412 (2019)
Sun, X., Wang, Z., Yang, J., Liu, X.: Deepdom: malicious domain detection with scalable and heterogeneous graph convolutional networks. Comput. Secur. 99, 102057 (2020)
Sun, X., Yang, J., Wang, Z., Liu, H.: Hgdom: heterogeneous graph convolutional networks for malicious domain detection. In: NOMS 2020–2020 IEEE/IFIP Network Operations and Management Symposium, pp. 1–9. IEEE (2020)
Veličković, P., Cucurull, G., Casanova, A., Romero, A., Lio, P., Bengio, Y.: Graph attention networks. ar**v preprint ar**v:1710.10903 (2017)
Zhang, S., et al.: Attributed heterogeneous graph neural network for malicious domain detection. In: 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design (CSCWD), pp. 397–403. IEEE (2021)
Acknowledgements
This work was partly supported by Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No. XDC02030000.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Li, Z., Yuan, F., Liu, Y., Cao, C., Fang, F., Tan, J. (2022). Heterogeneous Graph Attention Network for Malicious Domain Detection. In: Pimenidis, E., Angelov, P., Jayne, C., Papaleonidas, A., Aydin, M. (eds) Artificial Neural Networks and Machine Learning – ICANN 2022. ICANN 2022. Lecture Notes in Computer Science, vol 13530. Springer, Cham. https://doi.org/10.1007/978-3-031-15931-2_42
Download citation
DOI: https://doi.org/10.1007/978-3-031-15931-2_42
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15930-5
Online ISBN: 978-3-031-15931-2
eBook Packages: Computer ScienceComputer Science (R0)