A Matrix Factorization Based Network Embedding Method for DNS Analysis

I introduce an MF-DNS-E (Matrix-Factorization-based DNS Embedding) method to automatically learn the low-dimensional vector representations (i.e., embeddings) for domain names and IP addresses, which can be used to support some DNS security analysis tasks including malicious domain detection and IP reputation evaluation.

Le $N$ and $M$ be the total numbers of (i) domain names and (ii) IP addresses in a passive network traffic log, respectively. One can extract a bipartite graph ${\bf{B}}\in{\mathbb{Z}_{+}^{N\times M}}$, with ${{\bf{B}}_{ij}}$ as the number of queries that a domain name ${p_{i}}$ is resolved to an IP address ${q_{j}}$. The corresponding adjacency matrix of this bipartite graph is

where each entry in ${\bf{B}}$ is normalized into $[0,1]$ via ${{{\bf{\hat{B}}}}_{ij}}={{{{\bf{B}}_{ij}}}\mathord{\left/{\vphantom{{{{\bf{B}}_{ij}}}{{{\bf{B}}_{\max}}}}}\right.\kern-1.2pt}{{{\bf{B}}_{\max}}}}$, with ${\bf{B}}_{\max}$ as the maximum entry.

For all the domain names $\{{p_{i}}\}$, I further introduce (i) host-based and (ii) IP-based similarities between each pair of domain names, which are denoted as ${{\bf{S}}_{{\rm{DH}}}}\in{\mathbb{R}^{N\times N}}$ and ${{\bf{S}}_{{\rm{DI}}}}\in{\mathbb{R}^{M\times M}}$, respectively. Given a domain name ${p_{i}}$, let ${H_{p_{i}}}$ be the set of hosts that have the DNS query result of ${p_{i}}$. I further denote ${I_{p_{i}}}$ as the set of IPs resolved from ${p_{i}}$. ${{\bf{S}}_{{\rm{DH}}}}$ and ${{\bf{S}}_{{\rm{DI}}}}$ are defined as:

For all the IP addresses $\{{q_{j}}\}$, I also define the (iii) host-based and (iv) domain-based similarities, denoted as ${{\bf{S}}_{{\rm{IH}}}}\in{\mathbb{R}^{M\times M}}$ and ${{\bf{S}}_{{\rm{ID}}}}\in{\mathbb{R}^{M\times M}}$, respectively. Given an IP address ${q_{j}}$, let ${H_{{q_{j}}}}$ and ${D_{{q_{j}}}}$ be the (i) set of hosts requesting the DNS result of ${q_{j}}$ and (ii) set of domains resolved to ${q_{j}}$. ${{\bf{S}}_{\rm{IH}}}$ and ${{\bf{S}}_{\rm{ID}}}$ are defined as:

Furthermore, I combine $\{{{\bf{S}}_{{\rm{DH}}}},{{\bf{S}}_{{\rm{DI}}}},{{\bf{S}}_{{\rm{IH}}}},{{\bf{S}}_{{\rm{ID}}}}\}$ and ${\bf{P}}$ to construct a similarity-enhanced graph described by the following adjacency matrix:

where all the elements in ${\bf{S}}$ are within the value range $[0,1]$.

The $K$-order ($K\geq 1$) proximity of a node ${v_{i}}$ can be used to explore implicit community structures of graphs [1, 2, 3, 4, 5, 6]. I apply the matrix-factorization-based objective [7] of DeepWalk [8] to ${\bf{S}}$. Let ${\bf{A}}={\bf{S}}$ be the adjacency matrix of the heterogeneous graph. This objective aims to factorize the following matrix:

where ${\bf{D}}={\mathop{\rm diag}\nolimits}({{\deg}(v_{1})},\cdots,{{\deg}(v_{N+M})})$ is the degree diagonal matrix w.r.t. ${\bf{S}}$; $w=\sum\nolimits_{i=1}^{N+M}{{{\deg}(v_{i})}}$ is defined as the volume of a graph; $K$ and $b$ are pre-set proximity order and number of negative samples.

The low-dimensional embeddings are then derived by fitting the random-walk-based transition probabilities to the sampled random walks equivalent to the following objective [7]:

The singular value decomposition (SVD) is then used to get the solution $\{{{\bf{X}}^{*}},{{\bf{Y}}^{*}}\}$ via

with ${\bf{\Sigma}}={\rm{diag}}({\theta_{1}},{\theta_{2}},\cdots,{\theta_{N+M}})$ as the diagonal matrix of singular values in descending order. Finally, I adopt ${\bf{X}}^{*}$ as the derived network embeddings, where I treat ${\bf{X}}_{1:N,:}^{*}$ and ${\bf{X}}_{(N+1):(N+M),:}^{*}$ as the domain name embeddings $\{{{\bf{u}}_{1}},\cdots,{{\bf{u}}_{N}}\}$ and IP address embeddings $\{{{\bf{v}}_{1}},\cdots,{{\bf{v}}_{M}}\}$, respectively.

In addition, I also incorporate two logistic regression classifiers (i.e., ${C_{{\rm{MDD}}}}$ and ${C_{{\rm{IRE}}}}$) to the unsupervised embedding objective (6) to support two DNS analysis tasks of (i) malicious domain detection and (ii) IP reputation evaluation.

Let $R=\{{r_{{l_{1}}}},\cdots,{r_{{l_{T}}}}\}$ and $G=\{{g_{{l_{1}}}},\cdots,{g_{{l_{T}}}}\}$ be (i) the result given by classifier and (ii) the ground-truth, respectively. The logistic regression classifier can be optimized by minimizing the following binary cross-entropy objective:

To fully utilize the supervised training labels, I further apply the graph regularization technique. A constraint matrix ${\bf{C}}\in{\{0,1\}^{(N+M)\times(N+M)}}$ is first introduced to represent the training label information. For a pair of domain names $({p_{i}},{p_{j}})$ in the training set, let ${{\bf{C}}_{ij}}={{\bf{C}}_{ji}}=1$ if $({p_{i}},{p_{j}})$ are both malicious (or benign) domain names and ${{\bf{C}}_{ij}}={{\bf{C}}_{ji}}=0$ otherwise. Similarly, for a pair of IP addresses $({q_{i}},{q_{j}})$ in the training set, let ${{\bf{C}}_{(N+i),(N+j)}}={{\bf{C}}_{(N+j),(N+i)}}=1$ if $({p_{i}},{p_{j}})$ have the same reputation level and ${{\bf{C}}_{(N+i),(N+j)}}={{\bf{C}}_{(N+j),(N+i)}}=0$ otherwise. For a given domain name ${p_{i}}$ and an IP address ${q_{j}}$ in the training sets, let ${{\bf{C}}_{i,(N+j)}}={{\bf{C}}_{(N+j),i}}=1$ if if ${p_{i}}$ is a benign (or malicious) domain name and ${q_{j}}$ is with normal (or poor) reputation and ${{\bf{C}}_{i,(N+j)}}={{\bf{C}}_{(N+j),i}}=0$ otherwise. Finally, I set ${{\bf{C}}_{i,:}}={{\bf{C}}_{:,i}}=0.5$ and ${{\bf{C}}_{(i+N),:}}={{\bf{C}}_{:,(i+N)}}=0.5$ for the rest domain names and IP addresses in the validation and test sets. Based on ${\bf{C}}$, the graph regularization objective is then defined as:

with ${\bf{L}}:={{\bf{D}}_{\mathop{\rm C}\nolimits}}-{\bf{C}}$ as the Laplacian matrix of ${\bf{C}}$ and ${{\bf{D}}_{\rm{C}}}={\mathop{\rm diag}\nolimits}(\sum\nolimits_{j}{{{\bf{C}}_{1j}},\cdots,\sum\nolimits_{j}{{{\bf{C}}_{(N+M),j}}}})$ as the degree diagonal matrix w.r.t. ${\bf{C}}$.

In addition to (9), I also develop an end-to-end logistic regression classifier to integrate the supervised training labales. Let $\{{{\bf{x}}_{i}}\}=\{{{\bf{X}}_{i,:}}={{\bf{u}}_{i}}\}\cup\{{{\bf{X}}_{N+i,:}}={{\bf{v}}_{i}}\}$ to be the set of available DNS entities, including all the domain names and IP addresses. The logistic regression classifier takes each embedding ${{\bf{x}}_{i}}$ as its input and then derives a classification result ${r_{i}}=\sigma({{\bf{x}}_{i}}{\bf{w}}+{\bf{b}})$, with $\{{\bf{w}},{\bf{b}}\}$ as learnable parameters. Let $R=\{{r_{1}},\cdots,{r_{N+M}}\}$ and $G=\{{g_{1}},\cdots,{g_{N+M}}\}$ be (i) the classification result and (ii) the ground-truth w.r.t. DNS entities $\{{p_{1}},\cdots,{p_{N}},{q_{1}},\cdots,{q_{M}}\}$. I adopt the following binary cross-entropy objective between $G$ and $R$:

where a mask $m_{i}$ is integrated to distinguish DNS entities in the training set from those in the validation and test sets. Concretely, ${m_{i}}=1$ if a DNS entity ${x_{i}}$ is in the training set and ${m_{i}}=0$ otherwise.

In summary, one can construct the following semi-supervised objective by combining objectives of the (i) unsupervised graph embedding objective (5), (ii) graph regularization objective (9), as well as (iii) auxiliary classifier (10):

where $\alpha$ and $\beta$ are hyper-parameters to balance ${\mathop{\rm O}\nolimits}_{\rm{AC}}$ and ${\mathop{\rm O}\nolimits}_{\rm{R}}$.

To obtain the solution of objective (11), I first randomly initialize parameters $\{{\bf{X}},{\bf{Y}},{\bf{w}},{\bf{b}}\}$ and then apply gradient descent to iteratively update their values until convergence. For the solution of (11) (notated as $\{{{{\bf{X^{\prime}}}}^{*}},{{{\bf{Y^{\prime}}}}^{*}}\}$), I use ${\bf{X^{\prime}}}^{*}$ as the final low-dimensional embeddings for the associated DNS entities. The classification results of malicious domain detection and IP reputation evaluation can then be derived from the end-to-end logistic regression classifier integrated.

In this paper, I proposed a novel JDE method to (i) automatically learn the domain and IP embeddings by jointly exploring the homogeneous and heterogeneous high-order proximities between two types of DNS entities while (ii) simultaneously supporting malicious domain detection and IP reputation evaluation. In my future work, I intend to consider the joint optimization of other DNS entities and their associated applications (e.g., device type classification of end hosts). Moreover, to further explore the dynamic natures of DNS query behaviors via existing embedding techniques for dynamic graphs [9, 10, 11, 12] is also my next research focus.