DomainProfiler: toward accurate and early discovery of domain names abused in future

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Tatsuya Mori, Shigeki Goto

Research output: Contribution to journalArticle

Abstract

Domain names are at the base of today’s cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

Original languageEnglish
Pages (from-to)661-680
Number of pages20
JournalInternational Journal of Information Security
Volume17
Issue number6
DOIs
Publication statusPublished - 2018 Nov 1

Keywords

  • DNS
  • Domain name
  • Malware
  • Network-level security and protection
  • Temporal variation pattern

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'DomainProfiler: toward accurate and early discovery of domain names abused in future'. Together they form a unique fingerprint.

  • Cite this