Investigating the Agility Bias in DNS Graph Mining

TL;DR

This paper empirically examines how the rapid changes in DNS mappings, especially those involving cloud services, introduce bias in graph mining applications, highlighting significant effects on malicious domain detection.

Contribution

It provides the first empirical analysis of agility bias in DNS graph mining, focusing on the impact of dynamic domains on data analysis accuracy.

Findings

Agility bias is severe in DNS graphs involving cloud and CDN domains.

Removing outliers affects the observed bias but does not eliminate it.

Dynamic DNS mappings pose practical challenges for large-scale graph learning.

Abstract

The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.