abstract |
Techniques are provided herein for classifying domains based on DNS traffic so that domains that are malicious or associated with malicious activity can be identified. Malicious domains are identified by analyzing, at a server having network connectivity, traffic between one or more clients and one or more Domain Name System (DNS) resolvers, detecting a spike in the traffic for a particular domain, and categorizing queries in the spike based on one or more query features. The particular domain is classified based on the categorizing. |