PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration
作者: Shuang Hao , Alex Kantchelian , Brad Miller , Vern Paxson , Nick Feamster
关键词:
摘要: Miscreants register thousands of new domains every day to launch Internet-scale attacks, such as spam, phishing, and drive-by downloads. Quickly accurately determining a domain's reputation (association with malicious activity) provides powerful tool for mitigating threats protecting users. Yet, existing domain systems work by observing use (e.g., lookup patterns, content hosted) often too late prevent miscreants from reaping benefits the attacks that they launch. As complement these systems, we explore extent which features evident at registration indicate subsequent activity. We develop PREDATOR, an approach uses only time-of-registration establish reputation. base its design on intuition need obtain many ensure profitability attack agility, leading abnormal behaviors burst registrations, textually similar names). evaluate PREDATOR using logs second-level .com .net over five months. achieves 70% detection rate false positive 0.35%, thus making it effective early first line defense against misuse DNS domains. It predicts when are registered, is typically days or weeks earlier than blacklists.
acm.org
sci-hub.se 参考文章(39)
Felix C. Freiling, Konrad Rieck, Christian Gorecki, Thorsten Holz, Measuring and Detecting Fast-Flux Service Networks network and distributed system security symposium. ,(2008)
Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann, On Botnets That Use DNS for Command and Control 2011 Seventh European Conference on Computer Network Defense. pp. 9- 16 ,(2011) , 10.1109/EC2ND.2011.16
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
Scott E. Coull, Andrew M. White, Ting-Fang Yen, Fabian Monrose, Michael K. Reiter, Understanding Domain Registration Abuses information security. pp. 68- 79 ,(2010) , 10.1007/978-3-642-15257-3_7
Mark Felegyhazi, Vern Paxson, Christian Kreibich, On the potential of proactive domain blacklisting usenix conference on large scale exploits and emergent threats. pp. 6- 6 ,(2010)
Mark Felegyhazi, Chris Kanich, Jonathan Spring, Balazs Kocso, Janos Szurdi, Gabor Cseh, The long Taile of typosquatting domain names usenix security symposium. pp. 191- 206 ,(2014)
P. V. Mockapetris, Domain names - concepts and facilities RFC. ,vol. 1034, pp. 1- 31 ,(1987)
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi, EXPOSURE : Finding malicious domains using passive DNS analysis network and distributed system security symposium. ,(2011)
Pieter Agten, Wouter Joosen, Frank Piessens, Nick Nikiforakis, Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse network and distributed system security symposium. ,(2015) , 10.14722/NDSS.2015.23058
Kui Xu, Patrick Butler, Sudip Saha, Danfeng Yao, DNS for Massive-Scale Command and Control IEEE Transactions on Dependable and Secure Computing. ,vol. 10, pp. 143- 153 ,(2013) , 10.1109/TDSC.2013.10