Detecting Malicious Domains using the Splunk Machine Learning Toolkit


Malicious domains are often hidden amongst benign DNS requests. Given that DNS traffic is generally permitted, blocking malicious requests is a challenge for most network defenses. Using machine learning to classify DNS requests enables a scalable alternative to programmable blocklists. Studies in this field often reduce their dataset scope to a a single attack behavior. However, organizations are being hit by a myriad of attack patterns across multiple objectives, reducing the scope means closing the door to classifier operationalization in a real-world environment. In this paper, we propose a broader and more challenging scenario for our dataset by combining the four DNS malicious behaviors: malware, phishing, spam and botnet with legitimate domains samples. We use Splunk and its Machine Learning Toolkit to create, test and validate our classifier. We extract 12 static features from the domain name and analyze their weight on the prediction. We compared two supervised learning algorithms and measure their accuracy for such challenging environment. We obtained an 88% of accuracy by using Random Forest algorithm against Decision Tree 87%.

Tipo de publicación: Conference Paper

Publicado en: NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

  • Michelle Cersosimo
  • Adrian Lara

Investigadores del CITIC asociados a la publicación
Adrian Lara Petitdemange

Proyecto asociado a la publicación


Datos bibliográficos
Cita bibliográfica
Detecting Malicious Domains using the Splunk Machine Learning Toolkit