DomainChroma: Building actionable threat intelligence from malicious domain names

Daiki Chiba, Mitsuaki Akiyama, Takeshi Yagi, Kunio Hato, Tatsuya Mori, Shigeki Goto

    Research output: Contribution to journalArticle

    1 Citation (Scopus)

    Abstract

    Since the 1980s, domain names and the domain name system (DNS) have been used and abused. Although legitimate Internet users rely on domain names as indispensable infrastructures for using the Internet, attackers use or abuse them as reliable, instantaneous, and distributed attack infrastructures. However, there is a lack of complete understanding of such domain-name abuses and methods for coping with them. In this study, we designed and implemented a unified analysis system combining current defense solutions to build actionable threat intelligence from malicious domain names. The basic concept underlying our system is malicious domain name chromatography. Our analysis system can distinguish among mixtures of malicious domain names for websites. On the basis of this concept, we do not create a hodgepodge of current solutions but design separation of abused domain names and offer actionable threat intelligence or defense information by considering the characteristics of malicious domain names as well as the possible defense solutions and points of defense. Finally, we evaluated our analysis system and defense-information output using a large real dataset to show the effectiveness and validity of our system.

    Original languageEnglish
    Pages (from-to)138-161
    Number of pages24
    JournalComputers and Security
    Volume77
    DOIs
    Publication statusPublished - 2018 Aug 1

    Fingerprint

    intelligence
    threat
    Internet
    systems analysis
    Chromatography
    Websites
    abuse
    infrastructure
    basic concept
    website
    coping
    lack

    Keywords

    • Abuse report
    • Actionable threat intelligence
    • Categorization
    • Defense point
    • Domain blacklist
    • Malicious domain name

    ASJC Scopus subject areas

    • Computer Science(all)
    • Law

    Cite this

    DomainChroma : Building actionable threat intelligence from malicious domain names. / Chiba, Daiki; Akiyama, Mitsuaki; Yagi, Takeshi; Hato, Kunio; Mori, Tatsuya; Goto, Shigeki.

    In: Computers and Security, Vol. 77, 01.08.2018, p. 138-161.

    Research output: Contribution to journalArticle

    Chiba, Daiki ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Hato, Kunio ; Mori, Tatsuya ; Goto, Shigeki. / DomainChroma : Building actionable threat intelligence from malicious domain names. In: Computers and Security. 2018 ; Vol. 77. pp. 138-161.
    @article{1cbf4c43c9fe4972b2c58d4e56c03990,
    title = "DomainChroma: Building actionable threat intelligence from malicious domain names",
    abstract = "Since the 1980s, domain names and the domain name system (DNS) have been used and abused. Although legitimate Internet users rely on domain names as indispensable infrastructures for using the Internet, attackers use or abuse them as reliable, instantaneous, and distributed attack infrastructures. However, there is a lack of complete understanding of such domain-name abuses and methods for coping with them. In this study, we designed and implemented a unified analysis system combining current defense solutions to build actionable threat intelligence from malicious domain names. The basic concept underlying our system is malicious domain name chromatography. Our analysis system can distinguish among mixtures of malicious domain names for websites. On the basis of this concept, we do not create a hodgepodge of current solutions but design separation of abused domain names and offer actionable threat intelligence or defense information by considering the characteristics of malicious domain names as well as the possible defense solutions and points of defense. Finally, we evaluated our analysis system and defense-information output using a large real dataset to show the effectiveness and validity of our system.",
    keywords = "Abuse report, Actionable threat intelligence, Categorization, Defense point, Domain blacklist, Malicious domain name",
    author = "Daiki Chiba and Mitsuaki Akiyama and Takeshi Yagi and Kunio Hato and Tatsuya Mori and Shigeki Goto",
    year = "2018",
    month = "8",
    day = "1",
    doi = "10.1016/j.cose.2018.03.013",
    language = "English",
    volume = "77",
    pages = "138--161",
    journal = "Computers and Security",
    issn = "0167-4048",
    publisher = "Elsevier Limited",

    }

    TY - JOUR

    T1 - DomainChroma

    T2 - Building actionable threat intelligence from malicious domain names

    AU - Chiba, Daiki

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Hato, Kunio

    AU - Mori, Tatsuya

    AU - Goto, Shigeki

    PY - 2018/8/1

    Y1 - 2018/8/1

    N2 - Since the 1980s, domain names and the domain name system (DNS) have been used and abused. Although legitimate Internet users rely on domain names as indispensable infrastructures for using the Internet, attackers use or abuse them as reliable, instantaneous, and distributed attack infrastructures. However, there is a lack of complete understanding of such domain-name abuses and methods for coping with them. In this study, we designed and implemented a unified analysis system combining current defense solutions to build actionable threat intelligence from malicious domain names. The basic concept underlying our system is malicious domain name chromatography. Our analysis system can distinguish among mixtures of malicious domain names for websites. On the basis of this concept, we do not create a hodgepodge of current solutions but design separation of abused domain names and offer actionable threat intelligence or defense information by considering the characteristics of malicious domain names as well as the possible defense solutions and points of defense. Finally, we evaluated our analysis system and defense-information output using a large real dataset to show the effectiveness and validity of our system.

    AB - Since the 1980s, domain names and the domain name system (DNS) have been used and abused. Although legitimate Internet users rely on domain names as indispensable infrastructures for using the Internet, attackers use or abuse them as reliable, instantaneous, and distributed attack infrastructures. However, there is a lack of complete understanding of such domain-name abuses and methods for coping with them. In this study, we designed and implemented a unified analysis system combining current defense solutions to build actionable threat intelligence from malicious domain names. The basic concept underlying our system is malicious domain name chromatography. Our analysis system can distinguish among mixtures of malicious domain names for websites. On the basis of this concept, we do not create a hodgepodge of current solutions but design separation of abused domain names and offer actionable threat intelligence or defense information by considering the characteristics of malicious domain names as well as the possible defense solutions and points of defense. Finally, we evaluated our analysis system and defense-information output using a large real dataset to show the effectiveness and validity of our system.

    KW - Abuse report

    KW - Actionable threat intelligence

    KW - Categorization

    KW - Defense point

    KW - Domain blacklist

    KW - Malicious domain name

    UR - http://www.scopus.com/inward/record.url?scp=85046353897&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85046353897&partnerID=8YFLogxK

    U2 - 10.1016/j.cose.2018.03.013

    DO - 10.1016/j.cose.2018.03.013

    M3 - Article

    AN - SCOPUS:85046353897

    VL - 77

    SP - 138

    EP - 161

    JO - Computers and Security

    JF - Computers and Security

    SN - 0167-4048

    ER -