This short exploratory empirical paper examines a question of how important the Internet protocol (IP) addresses of name servers are in linking together Internet domains that have distributed malware or otherwise having been associated with malicious computer networks. By using the domain name system (DNS) for building a relational representation, the found importance is elaborated with a dataset comprised of nearly sixty thousand domains. Besides the empirical exploration related to these domains, the paper provides a stylized discussion on the construction of empirical DNS graphs, including the concrete reduction and learning of the observed malware graph. With these two deliverables, the paper contributes to the active research field of DNS mining, further pinpointing a number of relevant research challenges for applications of complex network analysis for studying computer networking and cyber security.
Jukka Ruohonen, Sanja Cepanovic, Sami Hyrynsalmi, Igor Mishkovski, Tuomas Aura, Ville Leppänen (University of Turku): The Black Mark beside My Name Server: Exploring the Importance of Name Server IP Addresses in Malware DNS Graphs
Presented at the 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW), Vienna, Austria, Aug. 22, 2016 to Aug. 24, 2016