Improved Detection of Malicious Domain Names Using Gradient Boosted Machines and Feature Engineering

Abstract

Malicious domain names have been commonly used in recent years to launch different cyber-attacks. There are a large number of malicious domains that are registered every day and some of which are only active for brief periods of time. Therefore, the automated malicious domain names detection is needed to provide security for individuals and organisations. As new technologies continue to emerge, the detection of malicious domain names remains a challenging task. In this study, we propose a model to effectively detect malicious domain names. This is done by evaluating the performance of several machine learning algorithms and feature importance measures using a recent DNS dataset. Based on the empirical evaluation, the gradient boosted machines GBM classification with a combination of lexical and host-based features produce the most accurate detection rates of 98.8% accuracy and a low false positive rate of 0.003. In terms of feature importance, measures used in this study agree on the importance of six features, five of which are lexical in nature. Furthermore, to make the best out of these relevant features, we apply automatic feature engineering. Our results show that preprocessing the dataset using deep feature synthesis and then reducing the dimensionality improves the classifications performance as compared to using raw features. The results of this study are then verified using a challenging category of domain names, the domain generation algorithm dataset, and consistent results are obtained.