HINCDG: Multi-Meta-Path Graph Auto-Encoders for Mining of Weak Association Malicious Domains

Due to the lack of interaction with other domain names or entities and the scarcity of access records, it is extremely challenging to detect malicious domain names in the early stages of the life cycle. The detection methods based on association relationships have high robustness and are difficult to escape. However, these related methods require a time window to accumulate relations. For the sparse of newly emerged DNS, it’s difficult to detect malicious domain names in its early life cycle. We regard the lack of initial association relationship of domain name nodes as a missing data problem. A variety of heterogeneous association relationships are extracted from the dynamic evolution graph of HINS containing structural neighbourhood information and temporal features, and then we randomly dropped out some meta-path domain name associations, construct missing initial associations, increase the ability to reason about missing associations, and improve the detection ability of newly emerging malicious domains with weak associations. The HINCDG has been evaluated in the ISP DNS traffic (one billion queries per hour), the experimental results (97% F1-Measure) illustrate the efficiency and accuracy.