TY - JOUR
T1 - DomainChroma
T2 - Building actionable threat intelligence from malicious domain names
AU - Chiba, Daiki
AU - Akiyama, Mitsuaki
AU - Yagi, Takeshi
AU - Hato, Kunio
AU - Mori, Tatsuya
AU - Goto, Shigeki
N1 - Publisher Copyright:
© 2018 The Authors
PY - 2018/8
Y1 - 2018/8
N2 - Since the 1980s, domain names and the domain name system (DNS) have been used and abused. Although legitimate Internet users rely on domain names as indispensable infrastructures for using the Internet, attackers use or abuse them as reliable, instantaneous, and distributed attack infrastructures. However, there is a lack of complete understanding of such domain-name abuses and methods for coping with them. In this study, we designed and implemented a unified analysis system combining current defense solutions to build actionable threat intelligence from malicious domain names. The basic concept underlying our system is malicious domain name chromatography. Our analysis system can distinguish among mixtures of malicious domain names for websites. On the basis of this concept, we do not create a hodgepodge of current solutions but design separation of abused domain names and offer actionable threat intelligence or defense information by considering the characteristics of malicious domain names as well as the possible defense solutions and points of defense. Finally, we evaluated our analysis system and defense-information output using a large real dataset to show the effectiveness and validity of our system.
AB - Since the 1980s, domain names and the domain name system (DNS) have been used and abused. Although legitimate Internet users rely on domain names as indispensable infrastructures for using the Internet, attackers use or abuse them as reliable, instantaneous, and distributed attack infrastructures. However, there is a lack of complete understanding of such domain-name abuses and methods for coping with them. In this study, we designed and implemented a unified analysis system combining current defense solutions to build actionable threat intelligence from malicious domain names. The basic concept underlying our system is malicious domain name chromatography. Our analysis system can distinguish among mixtures of malicious domain names for websites. On the basis of this concept, we do not create a hodgepodge of current solutions but design separation of abused domain names and offer actionable threat intelligence or defense information by considering the characteristics of malicious domain names as well as the possible defense solutions and points of defense. Finally, we evaluated our analysis system and defense-information output using a large real dataset to show the effectiveness and validity of our system.
KW - Abuse report
KW - Actionable threat intelligence
KW - Categorization
KW - Defense point
KW - Domain blacklist
KW - Malicious domain name
UR - http://www.scopus.com/inward/record.url?scp=85046353897&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85046353897&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2018.03.013
DO - 10.1016/j.cose.2018.03.013
M3 - Article
AN - SCOPUS:85046353897
SN - 0167-4048
VL - 77
SP - 138
EP - 161
JO - Computers and Security
JF - Computers and Security
ER -