An Imbalanced Malicious Domains Detection Method Based on Passive DNS Traffic Analysis

<table class="fixed-width table-group" id="tab1"><tr><td><table class="table"><colgroup><col style="width:14.40em"/><col style="width:2.71em"/><col style="width:25.52em"/><col style="width:11.36em"/></colgroup><tr><td class="thead-hr" colspan="4"><hr/></td></tr><tr class="thead"><td class="align_left">Feature group</td><td class="align_center">No.</td><td class="align_center">Feature Name</td><td class="align_center">Malicious domain profile</td></tr><tr><td class="thead-hr" colspan="4"><hr/></td></tr><tr><td class="align_left" rowspan="12">Static lexical features</td><td class="align_center">1</td><td class="align_center">Length of domain name</td><td class="align_center">Longer</td></tr><tr><td class="align_center">2</td><td class="align_center">Max length of labels in subdomain</td><td class="align_center">Longer</td></tr><tr><td class="align_center">3</td><td class="align_center">Character entropy</td><td class="align_center">Greater</td></tr><tr><td class="align_center">4</td><td class="align_center">Number of numerical characters</td><td class="align_center">Higher</td></tr><tr><td class="align_center">5</td><td class="align_center">Ratio of numerical characters</td><td class="align_center">Higher</td></tr><tr><td class="align_center">6</td><td class="align_center">Conversion frequency of numerical and alphabetic character</td><td class="align_center">Higher</td></tr><tr><td class="align_center">7</td><td class="align_center">Max length of continuous numerical characters</td><td class="align_center">Shorter</td></tr><tr><td class="align_center">8</td><td class="align_center">Max length of continuous alphabetic characters</td><td class="align_center">Longer</td></tr><tr><td class="align_center">9</td><td class="align_center">Max length of continuous same alphabetic characters</td><td class="align_center">Shorter</td></tr><tr><td class="align_center">10</td><td class="align_center">Ratio of vowels</td><td class="align_center">Lower</td></tr><tr><td class="align_center">11</td><td class="align_center">Max length of continuous consonants</td><td class="align_center">Longer</td></tr><tr><td class="align_center">12</td><td class="align_center">Conversion frequency of vowel and consonant</td><td class="align_center">Higher</td></tr><tr><td class="align_left" colspan="4"><hr/></td></tr><tr><td class="align_left" rowspan="4">Dynamic DNS resolving features</td><td class="align_center">13</td><td class="align_center">Number of distinct A records</td><td class="align_center">Higher</td></tr><tr><td class="align_center">14</td><td class="align_center">IP entropy of domain name</td><td class="align_center">Higher</td></tr><tr><td class="align_center">15</td><td class="align_center">Number of distinct NS records</td><td class="align_center">Higher</td></tr><tr><td class="align_center">16</td><td class="align_center">Similarity of NS domain name</td><td class="align_center">Bigger</td></tr><tr class="table-tr"><td colspan="4"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>An overview of domain features.</div>

Security and Communication Networks

tab1

Table 1

Table 1: An Imbalanced Malicious Domains Detection Method Based on Passive DNS Traffic Analysis 