Research Article
An Imbalanced Malicious Domains Detection Method Based on Passive DNS Traffic Analysis
Table 1
An overview of domain features.
| Feature group | No. | Feature Name | Malicious domain profile |
| Static lexical features | 1 | Length of domain name | Longer | 2 | Max length of labels in subdomain | Longer | 3 | Character entropy | Greater | 4 | Number of numerical characters | Higher | 5 | Ratio of numerical characters | Higher | 6 | Conversion frequency of numerical and alphabetic character | Higher | 7 | Max length of continuous numerical characters | Shorter | 8 | Max length of continuous alphabetic characters | Longer | 9 | Max length of continuous same alphabetic characters | Shorter | 10 | Ratio of vowels | Lower | 11 | Max length of continuous consonants | Longer | 12 | Conversion frequency of vowel and consonant | Higher |
| Dynamic DNS resolving features | 13 | Number of distinct A records | Higher | 14 | IP entropy of domain name | Higher | 15 | Number of distinct NS records | Higher | 16 | Similarity of NS domain name | Bigger |
|
|