MalHunter: Performing a Timely Detection on Malicious Domains via a Single DNS Query.

Domain names have been abused for illicit online activities for decades. A wealth of effort has been devoted to detect malicious domains in the past. However, these works primarily identify suspicious DNS behaviors (e.g., lookup patterns, resolution graphs) to distinguish legitimate domains from malicious ones. Whereas, these behaviors can only be observed after malicious activity is already underway, thus are often too late to prevent miscreants from reaping benefits of the attacks, delaying detection. In this paper, we propose MalHunter, a timely detection technique that determines a domain’s reputation via only a single DNS query. We base it on the insight that miscreants need to host malicious domains on IPs that they control, which makes different malicious domains are commonly hosted on the same IPs and creates intrinsic associations. To capture these inherent associations, we employ a deep neural network architecture based method, thus making it possible for detecting malicious domains via only a single DNS query. We evaluate MalHunter using real-world DNS traffic collected from three large ISP networks in China over two months. Compared to previous approaches, our method significantly reduces the time delay of detection from days or weeks to approximate ten microseconds while maintaining as high detection accuracy.