Monitoring the initial DNS behavior of malicious domains

Hao, Shuang; Feamster, Nick; Pandrangi, Ramakant

doi:10.1145/2068816.2068842

Cited by 68 publications

(59 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We understand that previous work [3] investigates on initial DNS behaviors (e.g. registration of domains) of malicious domains and reports some interesting characteristics but does not propose a method to detect malicious domains.…”

Section: Comparison With Related Workmentioning

confidence: 94%

“…Hao et al [3] studied behavior of spam domains combining with active DNS behavior and registration information. Although they found that IP spaces used by spam domains were small, how d, ns-d and IP were related was not studied.…”

Section: Related Workmentioning

confidence: 99%

“…The contribution of the proposed method is two-fold: (1) it can detect unknown malicious domains, name servers' domains, and their corresponding IP addresses that are not in existing blacklists, (2) it uses data that is publicly accessible and easy to obtain by a single DNS resolver while the existing methods rely on additional data that is available for certain entities such as a long period of historical data of domains and IPs [1], DNS traffic captured at large networks such as ISP [2], and DNS responses obtained by a large number of resolvers in different locations (continents) [3].…”

Section: Related Workmentioning

confidence: 99%

“…Comparing with [1], [2], [4], the main advantage of proposed method is that it can be realized with low requirements for necessary data. Namely, our method uses data that is publicly accessible and easy to obtain by a single DNS resolver while the other existing methods rely on additional data that are available for only certain privileged entities such as a long period of historical data of domains and IPs [1], DNS traffic captured at large networks such as ISP [2], and DNS responses obtained by large number of resolvers in different locations (continents) [3].…”

Section: Comparison With Related Workmentioning

confidence: 99%

See 3 more Smart Citations

Detecting Malicious Domains and Authoritative Name Servers Based on Their Distinct Mappings to IP Addresses

Yoshioka

Matsumoto

2015

Journal of Information Processing

View full text Add to dashboard Cite

As Domain Name System (DNS) provides flexibility and robustness in communications of hosts on Internet, not only legitimate users but also attackers often take advantages of it. If we know how attackers are managing their malicious domains with authoritative name servers, there is a possibility to detect not only malicious domains but also malicious authoritative name servers. In this study, we present a novel method for detecting malicious "domains" (noted as d) and malicious "authoritative name servers" (noted as ns-d) based on their distinct mappings to "IP addresses" (noted as IP). Namely, we present three features to detect them; 1) Single ns-d is mapped to many IP, 2) Single IP is mapped to many ns-d, and 3) Single IP is mapped to both ns-d and d. We evaluate proposed method in terms of accuracy and coverage in detection of malicious d and ns-d. The evaluation shows that our detection method can achieve significantly low false positive rate in detecting both malicious d and ns-d without relying on any previous knowledge, such as blacklists or whitelists.

show abstract

Section: Comparison With Related Workmentioning

confidence: 94%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Comparison With Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Detecting Malicious Domains and Authoritative Name Servers Based on Their Distinct Mappings to IP Addresses

Yoshioka

Matsumoto

2015

Journal of Information Processing

View full text Add to dashboard Cite

show abstract

“…Due to their short lifetime, the early identification of phishing websites is paramount, as a result several methods have been proposed to avoid reactive blacklisting and develop more proactive methods. In [10], Hao et al analyze early DNS behavior of newly registered domains. It is demonstrated that they are characterized by DNS infrastructure pattern and DNS lookup patterns monitored as soon as they are registered, such as either a wide scattering of resource records across the IP address space in only few regions, or resource records that are often hosted in tainted autonomous systems.…”

Section: Related Workmentioning

confidence: 99%

Proactive Discovery of Phishing Related Domain Names

Marchal

Jérôme

State

et al. 2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract.Phishing is an important security issue to the Internet, which has a significant economic impact. The main solution to counteract this threat is currently reactive blacklisting; however, as phishing attacks are mainly performed over short periods of time, reactive methods are too slow. As a result, new approaches to early identify malicious websites are needed. In this paper a new proactive discovery of phishing related domain names is introduced. We mainly focus on the automated detection of possible domain registrations for malicious activities. We leverage techniques coming from natural language modelling in order to build proactive blacklists. The entries in this list are built using language models and vocabularies encountered in phishing related activities -"secure", "banking", brand names, etc. Once a pro-active blacklist is created, ongoing and daily monitoring of only these domains can lead to the efficient detection of phishing web sites.

show abstract

Detecting spam through their Sender Policy Framework records

Sipahi

Dalklç

Özcanhan

2015

Security Comm Networks

View full text Add to dashboard Cite

Spamming has become one of the worst problems of email communication. Although various anti‐spamming methods have been developed, because of creative spammers, none of them are able to stop the penetration of the innovated spam. The content‐based anti‐spam methods used for spam recognition require considerable amounts of computational resources. Therefore, less resource demanding methods are needed to match the growing number of spam. One example is network‐based filtering, which is gaining importance. Sender Policy Framework (SPF) is a network protocol that can provide efficient network‐based spam filtering. But, it is becoming evident that spammers have also started to manipulate SPF‐based spam filtering. Presently, the spammers are purchasing domain names with SPF records to use them for sending spam. The only methods that can prevent such spam are the blacklist and content filtering techniques, or a blend of both. In the present study, the Domain Name System (DNS)/SPF records of spam‐sending domain names are compared with non‐spam‐sending domain names, for improving SPF‐based spam filtering. Research results show distinctive features between spam‐sending and non‐spam‐sending domain names. Naïve Bayes algorithm is utilized to identify spam‐sending domain names. The time delay results of spam analysis shows that the devised SPF‐based filtering offloads content filtering, significantly. Hence, our SPF‐based method can act as a pre‐filter that helps fighting spam. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Monitoring the initial DNS behavior of malicious domains

Cited by 68 publications

References 10 publications

Detecting Malicious Domains and Authoritative Name Servers Based on Their Distinct Mappings to IP Addresses

Detecting Malicious Domains and Authoritative Name Servers Based on Their Distinct Mappings to IP Addresses

Proactive Discovery of Phishing Related Domain Names

Detecting spam through their Sender Policy Framework records

Contact Info

Product

Resources

About