DomainProfiler

toward accurate and early discovery of domain names abused in future

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Tatsuya Mori, Shigeki Goto

    Research output: Contribution to journalArticle

    Abstract

    Domain names are at the base of today’s cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

    Original languageEnglish
    Pages (from-to)1-20
    Number of pages20
    JournalInternational Journal of Information Security
    DOIs
    Publication statusAccepted/In press - 2017 Dec 16

    Fingerprint

    Ecosystems

    Keywords

    • DNS
    • Domain name
    • Malware
    • Network-level security and protection
    • Temporal variation pattern

    ASJC Scopus subject areas

    • Software
    • Information Systems
    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications

    Cite this

    DomainProfiler : toward accurate and early discovery of domain names abused in future. / Chiba, Daiki; Yagi, Takeshi; Akiyama, Mitsuaki; Shibahara, Toshiki; Mori, Tatsuya; Goto, Shigeki.

    In: International Journal of Information Security, 16.12.2017, p. 1-20.

    Research output: Contribution to journalArticle

    Chiba, Daiki ; Yagi, Takeshi ; Akiyama, Mitsuaki ; Shibahara, Toshiki ; Mori, Tatsuya ; Goto, Shigeki. / DomainProfiler : toward accurate and early discovery of domain names abused in future. In: International Journal of Information Security. 2017 ; pp. 1-20.
    @article{45f717f9e56b4df59ec771d21602b928,
    title = "DomainProfiler: toward accurate and early discovery of domain names abused in future",
    abstract = "Domain names are at the base of today’s cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.",
    keywords = "DNS, Domain name, Malware, Network-level security and protection, Temporal variation pattern",
    author = "Daiki Chiba and Takeshi Yagi and Mitsuaki Akiyama and Toshiki Shibahara and Tatsuya Mori and Shigeki Goto",
    year = "2017",
    month = "12",
    day = "16",
    doi = "10.1007/s10207-017-0396-7",
    language = "English",
    pages = "1--20",
    journal = "International Journal of Information Security",
    issn = "1615-5262",
    publisher = "Springer Verlag",

    }

    TY - JOUR

    T1 - DomainProfiler

    T2 - toward accurate and early discovery of domain names abused in future

    AU - Chiba, Daiki

    AU - Yagi, Takeshi

    AU - Akiyama, Mitsuaki

    AU - Shibahara, Toshiki

    AU - Mori, Tatsuya

    AU - Goto, Shigeki

    PY - 2017/12/16

    Y1 - 2017/12/16

    N2 - Domain names are at the base of today’s cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

    AB - Domain names are at the base of today’s cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

    KW - DNS

    KW - Domain name

    KW - Malware

    KW - Network-level security and protection

    KW - Temporal variation pattern

    UR - http://www.scopus.com/inward/record.url?scp=85038075762&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85038075762&partnerID=8YFLogxK

    U2 - 10.1007/s10207-017-0396-7

    DO - 10.1007/s10207-017-0396-7

    M3 - Article

    SP - 1

    EP - 20

    JO - International Journal of Information Security

    JF - International Journal of Information Security

    SN - 1615-5262

    ER -