Paint It Black: Evaluating the Effectiveness of Malware Blacklists

Kührer, Marc; Rossow, Christian; Holz, Thorsten

doi:10.1007/978-3-319-11379-1_1

Cited by 109 publications

(73 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…1-20) had more contributions and higher GI scores than both rIP features (Nos. [21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38] 4.1 did not contain such easy-toanswer domain names. As a result, the importance of these TVP features using Alexa1k and Alexa10k is relatively low.…”

Section: Effectiveness Of Each Featurementioning

confidence: 99%

“…Another reason behind the longer lifespan is the sinkhole operation. A sinkholed domain name is an originally malicious domain name that is treated and then controlled by security organizations [24,36]. In such a case, an IP address is continuously associated with a domain name; thus, the lifespan of the domain name is long.…”

Section: Lifespan Of Detected Domain Namesmentioning

confidence: 99%

“…In such a case, an IP address is continuously associated with a domain name; thus, the lifespan of the domain name is long. To detect such sinkholed domain names, we followed the same approach originally proposed by Kührer et al [24]. Table 11 shows the results of our sinkhole detection.…”

Section: Lifespan Of Detected Domain Namesmentioning

confidence: 99%

“…Boukhtouta et al [9] proposed an analysis method for creating graphs from sandbox results to understand the relationships among domain names, IP addresses, and malware family names. Kührer et al [24] proposed a method for identifying parked and sinkhole domain names from Web sites and blacklist content information by using graph analysis. DomainProfiler strongly relies on the TVP or time series information, which these studies did not use, to precisely predict future malicious domain names.…”

Section: Historic Relationship Approachmentioning

confidence: 99%

See 3 more Smart Citations

DomainProfiler: toward accurate and early discovery of domain names abused in future

Chiba

Yagi

Akiyama

et al. 2017

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Domain names are at the base of today's cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

show abstract

Section: Effectiveness Of Each Featurementioning

confidence: 99%

Section: Lifespan Of Detected Domain Namesmentioning

confidence: 99%

Section: Lifespan Of Detected Domain Namesmentioning

confidence: 99%

Section: Historic Relationship Approachmentioning

confidence: 99%

See 2 more Smart Citations

DomainProfiler: toward accurate and early discovery of domain names abused in future

Chiba

Yagi

Akiyama

et al. 2017

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…Thakore [5] provided a set of metrics such as coverage, redundancy, confidence, and cost to quantitatively evaluate monitor deployments. Kührer et al [6] focused on the effectiveness of malware blacklists and showed that the current blacklist is insufficient to protect against the variety of malware threats. There are other studies focused on evaluating the strength of IDS or other security products [7,8], strength of user password [9,10], and so on.…”

Section: Related Workmentioning

confidence: 99%

Security Measurement for Unknown Threats Based on Attack Preferences

Yin

Sun

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Security measurement matters to every stakeholder in network security. It provides security practitioners the exact security awareness. However, most of the works are not applicable to the unknown threat. What is more, existing efforts on security metric mainly focus on the ease of certain attack from a theoretical point of view, ignoring the "likelihood of exploitation." To help administrator have a better understanding, we analyze the behavior of attackers who exploit the zero-day vulnerabilities and predict their attack timing. Based on the prediction, we propose a method of security measurement. In detail, we compute the optimal attack timing from the perspective of attacker, using a long-term game to estimate the risk of being found and then choose the optimal timing based on the risk and profit. We design a learning strategy to model the information sharing mechanism among multiattackers and use spatial structure to model the long-term process. After calculating the Nash equilibrium for each subgame, we consider the likelihood of being attacked for each node as the security metric result. The experiment results show the efficiency of our approach.

show abstract

A Machine Learning Framework for Studying Domain Generation Algorithm (DGA)-Based Malware

Chin

Xiong

et al. 2018

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Paint It Black: Evaluating the Effectiveness of Malware Blacklists

Cited by 109 publications

References 18 publications

DomainProfiler: toward accurate and early discovery of domain names abused in future

DomainProfiler: toward accurate and early discovery of domain names abused in future

Security Measurement for Unknown Threats Based on Attack Preferences

A Machine Learning Framework for Studying Domain Generation Algorithm (DGA)-Based Malware

Contact Info

Product

Resources

About