1. Technical Field
Embodiments of the present invention relate generally to an apparatus and method for detecting a malicious domain cluster and, more particularly, to an apparatus and method for detecting a malicious domain through cluster-based machine learning.
2. Description of the Related Art
Korean Patent Application Publication No. 2014-0035678 entitled “Learning-based DNS Analyzer and Analysis Method” discloses a method of detecting each malicious domain by monitoring domain name server (DNS) traffic as a conventional method for detecting a malicious domain. In this method disclosed in Korean Patent Application Publication No. 2014-0035678, malicious domains are individually detected. According to the method disclosed in Korean Patent Application Publication No. 2014-0035678, however, some of malicious domains that are collectively used may not be detected.
Korean Patent Application Publication No 2010-0084488 entitled “Apparatus and Method of Searching for Group Activity Malicious Code” discloses a method of searching for group activity malware based on the group activities of hosts infected with malware. In this method disclosed in Korean Patent Application Publication No. 2010-0084488, all types of traffic, exhibiting group activities, other than traffic included in a white list, are determined to be malicious. The method disclosed in Korean Patent Application Publication No. 2010-0084488 is problematic in that it is vulnerable when new traffic, not included in a white list, occurs.
Korean Patent Application Publication No. 2012-0092286 entitled “Method and System for Detecting Botnets using Domain Name Service Queries” discloses a method of detecting Botnets using domain name service query data. In this method disclosed in Korean Patent Application Publication No. 2012-0092286, a domain relation graph is generated by taking into consideration a domain query sequence. However, according to the method disclosed in Korean Patent Application Publication No. 2012-0092286, if malicious domains are newly used and formed into a graph, whether the domains are malicious cannot be determined until some of the domains are included in a black list.
“EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis” (Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi) published in NDSS in 2011 suggests a method of detecting domains involved in malicious behavior using a passive DNS analysis scheme. In this method, however, as in Korean Patent Application Publication No 2014-0035678, malicious domains are individually detected, but some of malicious domains that are collectively used may not be detected.
“Botnet Detection by Monitoring Group Activities in DNS Traffic” (Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim) published in ICCIT in 2007 suggests a method of detecting Botnets by monitoring DNS traffic. In this method, however, as in Korean Patent Application Publication No 2010-0084488, all the domains, exhibiting group activities, other than domains included in a white list are determined to be malicious, but this method is problematic in that it is vulnerable when new traffic, not included in a white list, occurs.
Moreover, “Graph-based Malware Activity Detection by DNS traffic analysis” (Jehyun Lee, Heejo Lee) published in Computer Communication Volume 49, Pages 33-47 on April, 2014 suggests a method of detecting malicious behavior by considering a DNS query sequence. In this method, however, as in Korean Patent Application Publication No. 2012-0092286, a domain relation graph is generated by considering a DNS query sequence. However, if malicious domains are newly used and formed into a graph, whether the domains are malicious cannot be determined until some of the domains are included in a black list.