Apparatus and method for detecting malicious domain cluster

摘要

An apparatus and method for detecting a malicious domain cluster. The apparatus for detecting a malicious domain cluster includes a domain name server (DNS) data collection unit and a malicious domain cluster detection unit. The DNS data collection unit collects DNS traffic over a network, and stores the DNS traffic in a database. The malicious domain cluster detection unit generates a domain cluster based on the DNS data, learns the characteristics of normal and malicious clusters in the domain cluster, and detects whether the domain cluster is malicious based on the result of the learning.

主权项

1. An apparatus for detecting a malicious domain cluster, comprising:
a domain name server (DNS) data collection unit configured to collect DNS traffic over a network and store the DNS traffic in a database; and a malicious domain cluster detection unit configured to generate a domain cluster based on the DNS data, learn characteristics of normal and malicious clusters in the domain cluster, and detect whether the domain cluster is malicious based on a result of the learning, wherein the malicious domain cluster detection unit is configured to comprise: a clustering module unit configured to generate the domain cluster by grouping domains, exhibiting group activities, into the domain cluster based on the DNS data; a labeling module unit configured to assign a malicious or normal cluster label to the generated domain cluster; a characteristic extraction module unit configured to extract a cluster characteristic different with respect to the malicious and normal clusters based on the generated domain cluster; a learning module unit configured to learn the malicious and normal clusters based on the cluster label and the cluster characteristic; and a detection module unit configured to detect whether the domain cluster is malicious based on a result of the learning of the learning module unit; and wherein the characteristic extraction module unit comprises: a domain age extraction module unit configured to extract an average of domain ages within the domain cluster and a standard deviation of the domain ages as a characteristic item; a domain popularity extraction module unit configured to extract an average of domain popularities within the domain cluster and a standard deviation of the domain popularities as a characteristic item; a resolved IP address extraction module unit configured to extract resolved IP addresses of the domains of the domain cluster as a characteristic item; and a domain link extraction module unit configured to extract an average of web page links indicative of the domains of the domain cluster and a standard deviation of the web page links as a characteristic item.