Comparison of DNS Based Methods for Detecting Malicious Domains

Eyal Paz; Ehud Gudes

doi:10.1007/978-3-030-49785-9_14

Comparison of DNS Based Methods for Detecting Malicious Domains

Eyal Paz
, Ehud Gudes

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

The Domain Name System (DNS) is an essential component of the internet infrastructure, used to translates domain names into IP addresses. Threat actors often abuse this system by registering and taking over thousands of Internet domains every day. These serve to launch various types of cyber-attacks, such as spam, phishing, botnets, and drive-by downloads. Currently, the main countermeasure addressing such threat is reactive blacklisting. Since cyber-attacks are mainly performed for short periods, reactive methods are usually too late and hence ineffective. As a result, new approaches to early identification of malicious websites are needed. In the recent decade, many novel papers were published offering systems to calculate domain reputation for domains that are not listed in common black-lists. This research implements three such approaches and evaluates their effectiveness in detecting malicious phishing domains. The social network analysis technique performed best, as it achieved a 60.71% detection rate with a false positive rate of only 0.35%.

Original language	English
Title of host publication	Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings
Editors	Shlomi Dolev, Gera Weiss, Vladimir Kolesnikov, Sachin Lodha
Publisher	Springer
Pages	219-236
Number of pages	18
ISBN (Print)	9783030497842
DOIs	https://doi.org/10.1007/978-3-030-49785-9_14
State	Published - 1 Jan 2020
Event	4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020 - Beersheba, Israel Duration: 2 Jul 2020 → 3 Jul 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12161 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020
Country/Territory	Israel
City	Beersheba
Period	2/07/20 → 3/07/20

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

Keywords

Attack
Cyber security
DNS
Phishing
Privacy-preserving security
Reputation system
Social network analysis

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-49785-9_14

Cite this

Paz, E., & Gudes, E. (2020). Comparison of DNS Based Methods for Detecting Malicious Domains. In S. Dolev, G. Weiss, V. Kolesnikov, & S. Lodha (Eds.), Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings (pp. 219-236). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12161 LNCS). Springer. https://doi.org/10.1007/978-3-030-49785-9_14

Paz, Eyal ; Gudes, Ehud. / Comparison of DNS Based Methods for Detecting Malicious Domains. Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. editor / Shlomi Dolev ; Gera Weiss ; Vladimir Kolesnikov ; Sachin Lodha. Springer, 2020. pp. 219-236 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{16ba7e1bb7f14cc38c5803a450113111,

title = "Comparison of DNS Based Methods for Detecting Malicious Domains",

abstract = "The Domain Name System (DNS) is an essential component of the internet infrastructure, used to translates domain names into IP addresses. Threat actors often abuse this system by registering and taking over thousands of Internet domains every day. These serve to launch various types of cyber-attacks, such as spam, phishing, botnets, and drive-by downloads. Currently, the main countermeasure addressing such threat is reactive blacklisting. Since cyber-attacks are mainly performed for short periods, reactive methods are usually too late and hence ineffective. As a result, new approaches to early identification of malicious websites are needed. In the recent decade, many novel papers were published offering systems to calculate domain reputation for domains that are not listed in common black-lists. This research implements three such approaches and evaluates their effectiveness in detecting malicious phishing domains. The social network analysis technique performed best, as it achieved a 60.71\% detection rate with a false positive rate of only 0.35\%.",

keywords = "Attack, Cyber security, DNS, Phishing, Privacy-preserving security, Reputation system, Social network analysis",

author = "Eyal Paz and Ehud Gudes",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Nature Switzerland AG.; 4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020 ; Conference date: 02-07-2020 Through 03-07-2020",

year = "2020",

month = jan,

day = "1",

doi = "10.1007/978-3-030-49785-9\_14",

language = "English",

isbn = "9783030497842",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "219--236",

editor = "Shlomi Dolev and Gera Weiss and Vladimir Kolesnikov and Sachin Lodha",

booktitle = "Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings",

address = "Germany",

}

Paz, E & Gudes, E 2020, Comparison of DNS Based Methods for Detecting Malicious Domains. in S Dolev, G Weiss, V Kolesnikov & S Lodha (eds), Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12161 LNCS, Springer, pp. 219-236, 4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020, Beersheba, Israel, 2/07/20. https://doi.org/10.1007/978-3-030-49785-9_14

Comparison of DNS Based Methods for Detecting Malicious Domains. / Paz, Eyal; Gudes, Ehud.
Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. ed. / Shlomi Dolev; Gera Weiss; Vladimir Kolesnikov; Sachin Lodha. Springer, 2020. p. 219-236 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12161 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Comparison of DNS Based Methods for Detecting Malicious Domains

AU - Paz, Eyal

AU - Gudes, Ehud

PY - 2020/1/1

Y1 - 2020/1/1

N2 - The Domain Name System (DNS) is an essential component of the internet infrastructure, used to translates domain names into IP addresses. Threat actors often abuse this system by registering and taking over thousands of Internet domains every day. These serve to launch various types of cyber-attacks, such as spam, phishing, botnets, and drive-by downloads. Currently, the main countermeasure addressing such threat is reactive blacklisting. Since cyber-attacks are mainly performed for short periods, reactive methods are usually too late and hence ineffective. As a result, new approaches to early identification of malicious websites are needed. In the recent decade, many novel papers were published offering systems to calculate domain reputation for domains that are not listed in common black-lists. This research implements three such approaches and evaluates their effectiveness in detecting malicious phishing domains. The social network analysis technique performed best, as it achieved a 60.71% detection rate with a false positive rate of only 0.35%.

AB - The Domain Name System (DNS) is an essential component of the internet infrastructure, used to translates domain names into IP addresses. Threat actors often abuse this system by registering and taking over thousands of Internet domains every day. These serve to launch various types of cyber-attacks, such as spam, phishing, botnets, and drive-by downloads. Currently, the main countermeasure addressing such threat is reactive blacklisting. Since cyber-attacks are mainly performed for short periods, reactive methods are usually too late and hence ineffective. As a result, new approaches to early identification of malicious websites are needed. In the recent decade, many novel papers were published offering systems to calculate domain reputation for domains that are not listed in common black-lists. This research implements three such approaches and evaluates their effectiveness in detecting malicious phishing domains. The social network analysis technique performed best, as it achieved a 60.71% detection rate with a false positive rate of only 0.35%.

KW - Attack

KW - Cyber security

KW - DNS

KW - Phishing

KW - Privacy-preserving security

KW - Reputation system

KW - Social network analysis

UR - https://www.scopus.com/pages/publications/85087744448

U2 - 10.1007/978-3-030-49785-9_14

DO - 10.1007/978-3-030-49785-9_14

M3 - Conference contribution

AN - SCOPUS:85087744448

SN - 9783030497842

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 219

EP - 236

BT - Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings

A2 - Dolev, Shlomi

A2 - Weiss, Gera

A2 - Kolesnikov, Vladimir

A2 - Lodha, Sachin

PB - Springer

T2 - 4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020

Y2 - 2 July 2020 through 3 July 2020

ER -

Paz E, Gudes E. Comparison of DNS Based Methods for Detecting Malicious Domains. In Dolev S, Weiss G, Kolesnikov V, Lodha S, editors, Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. Springer. 2020. p. 219-236. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-49785-9_14

Comparison of DNS Based Methods for Detecting Malicious Domains

Abstract

Publication series

Conference

UN SDGs

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this