ACM Computing Surveys (CSUR), Vol.51, N°4, Article N°67, September 2018
Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior relected in diferent phases of the life cycle of DNS queries and responses. Existing approaches difer signiicantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this paper,we perform such an analysis. In order to achieve this goal,we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that
the research community should address in order to fully realize the power of DNS data analysis to ight against attacks leveraging malicious domains.
© ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Computing Surveys (CSUR), Vol.51, N°4, Article N°67, September 2018 http://dx.doi.org/10.1145/3191329