Doctrina: Annotated Bipartite Graph Mining for Malware-Control Domain Detection

Malware-Control Domain is a common and efficacious cybercriminal utensil to remotely control malware-infected machines and steal sensitive information, and cause losses billions dollars every year. Since attackers use creative and obfuscation techniques to evade blacklists and fool users, we propose Doctrina, a novel defense system that allows for efficiently discovering the occurrence of new malware-control domain names in very large ISP networks. Doctrina extracted 20 features from DNS traffic which based on annotated bipartite graph mining with a scalable architecture design to find out new Malware-Control Domain. We implemented a proof-of-concept version of Doctrina and deployed it in two large enterprises for a long period. The experiment results show that Doctrina can achieve AUC as good as 98% and find new malware-control domains which cannot be identified by other reputation system. In addition, we show that Doctrina outperforms Segugio, a previously proposed domain name reputation system.