A Stacking Approach to Objectionable-Related Domain Names Identification by Passive DNS Traffic (Short Paper)

  • Chen Zhao
  • Yongzheng ZhangEmail author
  • Tianning Zang
  • Zhizhou Liang
  • Yipeng Wang
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 268)


Domain name classification is an important issue in the field of cyber security. Notice that objectionable-related domain names are one category of domain names that serve services such as gambling, pornography, etc. They are classified and even forbidden in some areas, some of these domain names may defraud visitors privacy and property. Timely and accurate identification of these domain names is significant for Internet content censorship and users security. In this work, we analyze the behavior of objectionable-related domain names from the real-world DNS traffic, finding that there exist evidently differences between objectionable-related domain names and none-objectionable ones. In this paper, we propose a stacking approach to objectionable-related domain names identification, VisSensor, that automatically extracts name features and latent visiting patterns of domain names from the DNS traffic and distinguishes objectionable-related ones. We integrate convolutional neural networks with fully-connected neural networks to collaborate features of different dimensions and improve experimental results. The accuracy of VisSensor is 88.48% with a false positive rate of \(9.11\%\). We also compared VisSensor with a public domain name tagging system, and our VisSensor performed better than the tagging system on the identification task of the objectionable-related domain names.


Objectionable-related domain name Traffic analysis Convolutional neural network 


  1. 1.
    Customer URL Ticketing System. Accessed 12 July 2018
  2. 2.
    Weimer, F.: Passive DNS replication. In: FIRST Conference on Computer Security Incident, p. 98 (2005)Google Scholar
  3. 3.
    Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: M. Hämmerli, B., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007). Scholar
  4. 4.
    Antonakakis, M., Perdisci, R., Dagon, D., et al.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)Google Scholar
  5. 5.
    Bilge, L., Kirda, E., Kruegel, C., et al.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)Google Scholar
  6. 6.
    Antonakakis, M., Perdisci, R., Lee, W., et al.: Detecting malware domains at the upper DNS hierarchy. In: USENIX Security Symposium, pp. 1–16 (2011)Google Scholar
  7. 7.
    Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN, pp. 403–414. IEEE (2015)Google Scholar
  8. 8.
    Hao, S., Thomas, M., Paxson, V., et al.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 63–76. ACM (2013)Google Scholar
  9. 9.
    LeCun, Y., Jackel, L.D., Bottou, L., et al.: Learning algorithms for classification: a comparison on handwritten digit recognition. Neural Netw.: Stat. Mech. Perspect. 261, 276 (1995)Google Scholar
  10. 10.
    Szegedy, C., Liu, W., Jia, Y., et al.: Going deeper with convolutions. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1–9 (2015)Google Scholar
  11. 11.
    Sinha, S., Bailey, M., Jahanian, F.: Shades of Grey: on the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 57–64. IEEE (2008)Google Scholar
  12. 12.
    Sheng, S., Wardman, B., Warner, G., et al.: An empirical analysis of phishing blacklists. In: Sixth Conference on Email and Anti-Spam, CEAS (2009)Google Scholar
  13. 13.
    Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Cham (2014). Scholar
  14. 14.
    Kheir, N., Tran, F., Caron, P., Deschamps, N.: Mentor: positive DNS reputation to skim-off benign domains in botnet C&C blacklists. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T., et al. (eds.) SEC 2014. IFIPAICT, vol. 428, pp. 1–14. Springer, Heidelberg (2014). Scholar
  15. 15.
    Stevanovic, M., Pedersen, J.M., D’Alconzo, A., et al.: On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55, 142–158 (2015)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Chen Zhao
    • 1
    • 2
  • Yongzheng Zhang
    • 1
    • 2
    Email author
  • Tianning Zang
    • 1
    • 2
  • Zhizhou Liang
    • 1
    • 2
  • Yipeng Wang
    • 1
    • 2
  1. 1.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  2. 2.Institute of Information EngineeringCASBeijingChina

Personalised recommendations