Abstract
Domain name blacklists are used to detect malicious activity on the Internet.
Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals.
The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth.
We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage.
Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency.
Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists.
To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names.
The results show that blacklists are very different when considering changes over time.
We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.
Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals.
The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth.
We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage.
Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency.
Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists.
To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names.
The results show that blacklists are very different when considering changes over time.
We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.
| Original language | English |
|---|---|
| Title of host publication | Image Processing and Communications Challenges 10 |
| Number of pages | 8 |
| Publisher | Springer |
| Publication date | 2018 |
| Pages | 216-223 |
| ISBN (Print) | 978-3-030-03657-7 |
| ISBN (Electronic) | 978-3-030-03658-4 |
| DOIs | |
| Publication status | Published - 2018 |
| Event | 10th International Conference on Image Processing & Communications - Bydgoszcz, Poland Duration: 14 Nov 2018 → 16 Nov 2018 |
Conference
| Conference | 10th International Conference on Image Processing & Communications |
|---|---|
| Country/Territory | Poland |
| City | Bydgoszcz |
| Period | 14/11/2018 → 16/11/2018 |
| Series | Advances in Intelligent Systems and Computing |
|---|---|
| Volume | 892 |
| ISSN | 2194-5357 |
Keywords
- Domain names
- blacklists
- domain names system