Domainprofiler: Discovering domain names abused in future

Daiki Chiba; Takeshi Yagi; Mitsuaki Akiyama; Toshiki Shibahara; Takeshi Yada; Tatsuya Mori; Shigeki Goto

doi:10.1109/DSN.2016.51

Domainprofiler: Discovering domain names abused in future

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Takeshi Yada, Tatsuya Mori, Shigeki Goto

School of Fundamental Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

29 Citations (Scopus)

Abstract

Cyber attackers abuse the domain name system (DNS) to mystify their attack ecosystems, they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. As a solution to this problem, we propose a system for discovering malicious domain names that will likely be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that our system can predict malicious domain names 220 days beforehand with a true positive rate of 0.985.

Original language	English
Title of host publication	Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	491-502
Number of pages	12
ISBN (Electronic)	9781467388917
DOIs	https://doi.org/10.1109/DSN.2016.51
Publication status	Published - 2016 Sept 29
Event	46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 - Toulouse, France Duration: 2016 Jun 28 → 2016 Jul 1

Publication series

Name	Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

Other

Other	46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
Country/Territory	France
City	Toulouse
Period	16/6/28 → 16/7/1

Keywords

DNS
Malicious domain name
Temporal variation pattern

ASJC Scopus subject areas

Hardware and Architecture
Software
Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/DSN.2016.51

Cite this

Chiba, D., Yagi, T., Akiyama, M., Shibahara, T., Yada, T., Mori, T., & Goto, S. (2016). Domainprofiler: Discovering domain names abused in future. In Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 (pp. 491-502). Article 7579766 (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2016.51

Domainprofiler: Discovering domain names abused in future. / Chiba, Daiki; Yagi, Takeshi; Akiyama, Mitsuaki et al.
Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016. Institute of Electrical and Electronics Engineers Inc., 2016. p. 491-502 7579766 (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Chiba, D, Yagi, T, Akiyama, M, Shibahara, T, Yada, T, Mori, T & Goto, S 2016, Domainprofiler: Discovering domain names abused in future. in Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016., 7579766, Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016, Institute of Electrical and Electronics Engineers Inc., pp. 491-502, 46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016, Toulouse, France, 16/6/28. https://doi.org/10.1109/DSN.2016.51

Chiba D, Yagi T, Akiyama M, Shibahara T, Yada T, Mori T et al. Domainprofiler: Discovering domain names abused in future. In Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016. Institute of Electrical and Electronics Engineers Inc. 2016. p. 491-502. 7579766. (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016). doi: 10.1109/DSN.2016.51

Chiba, Daiki ; Yagi, Takeshi ; Akiyama, Mitsuaki et al. / Domainprofiler : Discovering domain names abused in future. Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 491-502 (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016).

@inproceedings{cd20f7200d354125afa8ecd8cd9dff4a,

title = "Domainprofiler: Discovering domain names abused in future",

abstract = "Cyber attackers abuse the domain name system (DNS) to mystify their attack ecosystems, they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. As a solution to this problem, we propose a system for discovering malicious domain names that will likely be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that our system can predict malicious domain names 220 days beforehand with a true positive rate of 0.985.",

keywords = "DNS, Malicious domain name, Temporal variation pattern",

author = "Daiki Chiba and Takeshi Yagi and Mitsuaki Akiyama and Toshiki Shibahara and Takeshi Yada and Tatsuya Mori and Shigeki Goto",

note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 ; Conference date: 28-06-2016 Through 01-07-2016",

year = "2016",

month = sep,

day = "29",

doi = "10.1109/DSN.2016.51",

language = "English",

series = "Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "491--502",

booktitle = "Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016",

}

TY - GEN

T1 - Domainprofiler

T2 - 46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

AU - Chiba, Daiki

AU - Yagi, Takeshi

AU - Akiyama, Mitsuaki

AU - Shibahara, Toshiki

AU - Yada, Takeshi

AU - Mori, Tatsuya

AU - Goto, Shigeki

PY - 2016/9/29

Y1 - 2016/9/29

N2 - Cyber attackers abuse the domain name system (DNS) to mystify their attack ecosystems, they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. As a solution to this problem, we propose a system for discovering malicious domain names that will likely be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that our system can predict malicious domain names 220 days beforehand with a true positive rate of 0.985.

AB - Cyber attackers abuse the domain name system (DNS) to mystify their attack ecosystems, they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. As a solution to this problem, we propose a system for discovering malicious domain names that will likely be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that our system can predict malicious domain names 220 days beforehand with a true positive rate of 0.985.

KW - DNS

KW - Malicious domain name

KW - Temporal variation pattern

UR - http://www.scopus.com/inward/record.url?scp=84994371738&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994371738&partnerID=8YFLogxK

U2 - 10.1109/DSN.2016.51

DO - 10.1109/DSN.2016.51

M3 - Conference contribution

AN - SCOPUS:84994371738

T3 - Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

SP - 491

EP - 502

BT - Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 28 June 2016 through 1 July 2016

ER -

Domainprofiler: Discovering domain names abused in future

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this