Detection of Malicious Domains in APT via Mining Massive DNS Logs

With the rise of network attack, advanced persistent threats (APT) imposes severe challenges to network security. Since APT attacker can easily hide inevitable C&C traffic in massive Web traffic, HTTP-based C&C communication has become the most preferred method, providing us with new ideas for detecting. Moreover, under the assumption that attackers have limited attack resources, the domains used in the same attack will show relevance. Although there has been a lot of works focused on APT detection, it is still a difficult task to detect the abnormal DNS activity from massive Web traffic. In this paper, we propose a new framework based belief propagation to identify suspicious domains and compromised hosts in APT. We extract the domains features and calculate the score of being malicious from the DNS logs with minimal ground truth. We implement and validate our framework on anonymous DNS logs released by LANL. The experiment shows that our approach identifies previously unknown malicious domains and achieves high detection rates.