Investigating the Agility Bias in DNS Graph Mining
This work addresses a specific bias issue in DNS graph mining for cyber security applications, but it is incremental as it builds on existing metrics and focuses on empirical observation rather than novel solutions.
The paper investigates the bias introduced by agile DNS (dynamic domain-to-IP mappings) in graph mining applications, finding that this bias is severe, particularly due to outlying domains hosted on content delivery networks and cloud services, based on empirical experiments with two longitudinal DNS datasets.
The concept of agile domain name system (DNS) refers to dynamic and rapidly changing mappings between domain names and their Internet protocol (IP) addresses. This empirical paper evaluates the bias from this kind of agility for DNS-based graph theoretical data mining applications. By building on two conventional metrics for observing malicious DNS agility, the agility bias is observed by comparing bipartite DNS graphs to different subgraphs from which vertices and edges are removed according to two criteria. According to an empirical experiment with two longitudinal DNS datasets, irrespective of the criterion, the agility bias is observed to be severe particularly regarding the effect of outlying domains hosted and delivered via content delivery networks and cloud computing services. With these observations, the paper contributes to the research domains of cyber security and DNS mining. In a larger context of applied graph mining, the paper further elaborates the practical concerns related to the learning of large and dynamic bipartite graphs.