DomainProfiler: toward accurate and early discovery of domain names abused in future

Chiba, Daiki; Yagi, T.; Akiyama, Mitoshi; Shibahara, Toshiki; Mori, Tatsuya; Goto, Shigeki

doi:10.1007/s10207-017-0396-7

Cited by 10 publications

(4 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Of the 22 ML-based studies in our literature review, five studies used a combination of context-free and context-aware features [18,19,28,30,31], and two studies used contextaware features only [14,20], as indicated in Table 1.…”

Section: Context-aware Featuresmentioning

confidence: 99%

“…Chiba et al [14] used 55 context-aware features: 20 features reflect how and when a domain name is included in evolving lists of popular and malicious domain names in a certain time window; 18 features consider information from BGP prefixes, ASN, and IP address registration corresponding to the related IP addresses of a domain name; eight features consider relations between domain names of which IP addresses are in the same ASN (so called rDomains). They also use nine features that relate to domain names in rDomains.…”

Section: Context-aware Featuresmentioning

confidence: 99%

See 1 more Smart Citation

Detection of DGA-Generated Domain Names with TF-IDF

Vranken

Alizadeh

2022

Electronics

View full text Add to dashboard Cite

Botnets often apply domain name generation algorithms (DGAs) to evade detection by generating large numbers of pseudo-random domain names of which only few are registered by cybercriminals. In this paper, we address how DGA-generated domain names can be detected by means of machine learning and deep learning. We first present an extensive literature review on recent prior work in which machine learning and deep learning have been applied for detecting DGA-generated domain names. We observe that a common methodology is still missing, and the use of different datasets causes that experimental results can hardly be compared. We next propose the use of TF-IDF to measure frequencies of the most relevant n-grams in domain names, and use these as features in learning algorithms. We perform experiments with various machine-learning and deep-learning models using TF-IDF features, of which a deep MLP model yields the best results. For comparison, we also apply an LSTM model with embedding layer to convert domain names from a sequence of characters into a vector representation. The performance of our LSTM and MLP models is rather similar, achieving 0.994 and 0.995 AUC, and average F1-scores of 0.907 and 0.891 respectively.

show abstract

Section: Context-aware Featuresmentioning

confidence: 99%

Section: Context-aware Featuresmentioning

confidence: 99%

Detection of DGA-Generated Domain Names with TF-IDF

Vranken

Alizadeh

2022

Electronics

View full text Add to dashboard Cite

show abstract

“…Specifically, in October 2013, many new gTLDs, such as .xyz or .top, were introduced. Consequently, the number of available public suffixes is rapidly increasing and these new gTLDs are known to have been used in attacks [17]. Hence, this step enables us to expand the range of detectable homograph IDNs.…”

Section: Step 1: Separating the Domain Namesmentioning

confidence: 99%

Detection Method of Homograph Internationalized Domain Names with OCR

Sawabe

Chiba²,

Akiyama³

et al. 2019

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Currently, many attacks are targeting legitimate domain names. In homograph attacks, attackers exploit human visual misrecognition, thereby leading users to visit different (fake) sites. These attacks involve the generation of new domain names that appear similar to an existing legitimate domain name by replacing several characters in the legitimate name with others that are visually similar. Specifically, internationalized domain names (IDNs), which may contain non-ASCII characters, can be used to generate/register many similar IDNs (homograph IDNs) for their application as phishing sites. A conventional method of detecting such homograph IDNs uses a predefined mapping between ASCII and similar non-ASCII characters. However, this approach has two major limitations: (1) it cannot detect homograph IDNs comprising characters that are not defined in the mapping and (2) the mapping must be manually updated. Herein, we propose a new method for detecting homograph IDNs using optical character recognition (OCR). By focusing on the idea that homograph IDNs are visually similar to legitimate domain names, we leverage OCR techniques to recognize such similarities automatically. Further, we compare our approach with a conventional method in evaluations employing 3.19 million real (registered) and 10,000 malicious IDNs. Results reveal that our method can automatically detect homograph IDNs that cannot be detected when using the conventional approach.

show abstract

“…And, seventh, it is reproducible: we describe it in detail and have released its source code [34]. Moreover, since we released AVCLASS in July 2016, it has became a popular tool, and has been used by multiple research groups [35][36][37][38][39][40][41][42][43][44][45][46]. Among these works, Lever et al [47], further demonstrated the scalability of AVCLASS by applying it 23.9M samples.…”

Section: Pup and Malware Labelingmentioning

confidence: 99%

Tools for the Detection and Analysis of Potentially Unwanted Programs

Guevara¹

View full text Add to dashboard Cite

In this thesis we study potentially unwanted programs (PUP), a category of undesirable software that, while not outright malicious, contains behaviors that may alter the security state or the privacy of the system on which they are installed. PUP often comes bundled with freeware, i.e., proprietary software that can be used free of charge. A popular vector for distributing freeware are download portals, i.e., websites that index, categorize, and host programs. Download portals can be abused to distribute PUP. Freeware is often distributed as an installer, i.e., an auxiliary program in charge of performing all installation steps for the target program. During installation, besides the target program desired by the user, the installer may install PUP as well. PUP may be difficult to uninstall and may persist installed in the system after the user tries to uninstall it. Current malware analysis systems are not able to detect and analyze characteristic behaviors of PUP. For example, current malware analysis systems operate on a single program execution, while detecting incomplete PUP uninstallations requires analyzing together two program executions: the installation and the uninstallation.This thesis presents novel tools to detect and analyze potentially unwanted programs. More concretely, it describes three main contributions. First, it presents a measurement study of PUP prevalence in download portals, exposing the abusive behaviors that authors of malicious software use to distribute their applications through download portals. Second, it proposes a system especially designed to dynamically detect and analyze PUP behaviors during program installation and uninstallation. Third, it describes AVCLASS, an automatic labeling tool that given the AV labels for a potentially massive number of samples, outputs the most likely family for each sample.To analyze the distribution of PUP through download portals, we build a platform to crawl download portals and apply it to download 191K Windows freeware installers from 20 download portals. We analyze the collected installers measuring an overall ratio of PUP and malware between 8% (conservative estimate) and 26% (lax estimate). In 18 of the 20 download portals examined the amount of PUP and malware is below 9%. But, we also find two download portals exclusively used to distribute PPI i downloaders. We also detail different abusive behaviors that authors of undesirable programs use to distribute their programs through download portals.We present a platform to perform dynamic behavioral analysis of an input installer. Our platform executes the installer, navigates it to complete a successful installation, analyzes the installation to identify PUP behaviors, identifies the list of installed programs regardless of the installation location, checks whether each installed program has a corresponding uninstaller, executes the uninstallers, analyzes the uninstallation to identify PUP behaviors, and correlates the installation and uninstallation executions to determine if all installe...

show abstract

DomainProfiler: toward accurate and early discovery of domain names abused in future

Cited by 10 publications

References 25 publications

Detection of DGA-Generated Domain Names with TF-IDF

Detection of DGA-Generated Domain Names with TF-IDF

Detection Method of Homograph Internationalized Domain Names with OCR

Tools for the Detection and Analysis of Potentially Unwanted Programs

Contact Info

Product

Resources

About