Heuristic methods for efficient identification of abusive domain names

Egon Kidmose, Erwin Lansing, Søren Brandbyge, Jens Myrup Pedersen

Research output: Contribution to journalJournal articleResearchpeer-review

75 Downloads (Pure)

Abstract

Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cybercriminals also make use of these to fulfil their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. This is related to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. A sampled set of 10.000 second level domains are monitored for 66 days, heuristics are applied, and the resulting rankings guides a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, but still identify 5 domains which was actively abused during our observation period.
Original languageEnglish
JournalInternational Journal On Cyber Situational Awareness (IJCSA)
Volume3
Issue number1
Pages (from-to)121-142
Number of pages22
ISSN2057-2182
DOIs
Publication statusPublished - 2018

Fingerprint

Heuristic methods
Profitability
Internet
Industry

Keywords

  • DNS
  • Domain Name
  • Abuse
  • Heuristics
  • Top-Level Domain

Cite this

@article{c72805d1d2474e79a8f9ba4b7b69a7b3,
title = "Heuristic methods for efficient identification of abusive domain names",
abstract = "Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cybercriminals also make use of these to fulfil their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. This is related to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. A sampled set of 10.000 second level domains are monitored for 66 days, heuristics are applied, and the resulting rankings guides a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, but still identify 5 domains which was actively abused during our observation period.",
keywords = "DNS, Domain Name, Abuse, Heuristics, Top-Level Domain",
author = "Egon Kidmose and Erwin Lansing and S{\o}ren Brandbyge and Pedersen, {Jens Myrup}",
year = "2018",
doi = "10.22619/IJCSA.2018.100123",
language = "English",
volume = "3",
pages = "121--142",
journal = "International Journal On Cyber Situational Awareness (IJCSA)",
issn = "2057-2182",
publisher = "Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC.ORG) London, UK",
number = "1",

}

Heuristic methods for efficient identification of abusive domain names. / Kidmose, Egon; Lansing, Erwin; Brandbyge, Søren; Pedersen, Jens Myrup.

In: International Journal On Cyber Situational Awareness (IJCSA), Vol. 3, No. 1, 2018, p. 121-142.

Research output: Contribution to journalJournal articleResearchpeer-review

TY - JOUR

T1 - Heuristic methods for efficient identification of abusive domain names

AU - Kidmose, Egon

AU - Lansing, Erwin

AU - Brandbyge, Søren

AU - Pedersen, Jens Myrup

PY - 2018

Y1 - 2018

N2 - Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cybercriminals also make use of these to fulfil their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. This is related to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. A sampled set of 10.000 second level domains are monitored for 66 days, heuristics are applied, and the resulting rankings guides a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, but still identify 5 domains which was actively abused during our observation period.

AB - Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cybercriminals also make use of these to fulfil their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. This is related to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. A sampled set of 10.000 second level domains are monitored for 66 days, heuristics are applied, and the resulting rankings guides a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, but still identify 5 domains which was actively abused during our observation period.

KW - DNS

KW - Domain Name

KW - Abuse

KW - Heuristics

KW - Top-Level Domain

U2 - 10.22619/IJCSA.2018.100123

DO - 10.22619/IJCSA.2018.100123

M3 - Journal article

VL - 3

SP - 121

EP - 142

JO - International Journal On Cyber Situational Awareness (IJCSA)

JF - International Journal On Cyber Situational Awareness (IJCSA)

SN - 2057-2182

IS - 1

ER -