TY - GEN
T1 - PREDATOR
T2 - 23rd ACM Conference on Computer and Communications Security, CCS 2016
AU - Hao, Shuang
AU - Kantchelian, Alex
AU - Miller, Brad
AU - Paxson, Vern
AU - Feamster, Nick
N1 - Funding Information:
We thank the anonymous reviewers for their valuable comments. We also thank Christopher Kruegel, Kevin Borgolte, and Jennifer Rexford for many helpful suggestions and discussions to improve the paper. This work was supported in part by the National Science Foundation awards CNS-1237265, CNS-1535796, CNS-1540066, and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.
Publisher Copyright:
© 2016 Copyright held by the owner/author(s).
PY - 2016/10/24
Y1 - 2016/10/24
N2 - Miscreants register thousands of new domains every day to launch Internet-scale attacks, such as spam, phishing, and drive-by downloads. Quickly and accurately determining a domain's reputation (association with malicious activity) provides a powerful tool for mitigating threats and protecting users. Yet, existing domain reputation systems work by observing domain use (e.g., lookup patterns, content hosted)-often too late to prevent miscreants from reaping benefits of the attacks that they launch. As a complement to these systems, we explore the extent to which features evident at domain registration indicate a domain's subsequent use for malicious activity. We develop PREDATOR, an approach that uses only time-of-registration features to establish domain reputation. We base its design on the intuition that miscreants need to obtain many domains to ensure profitability and attack agility, leading to abnormal registration behaviors (e.g., burst registrations, textually similar names). We evaluate PREDATOR using registration logs of second-level.com and.net domains over five months. PREDATOR achieves a 70% detection rate with a false positive rate of 0.35%, thus making it an effective- and early-first line of defense against the misuse of DNS domains. It predicts malicious domains when they are registered, which is typically days or weeks earlier than existing DNS blacklists.
AB - Miscreants register thousands of new domains every day to launch Internet-scale attacks, such as spam, phishing, and drive-by downloads. Quickly and accurately determining a domain's reputation (association with malicious activity) provides a powerful tool for mitigating threats and protecting users. Yet, existing domain reputation systems work by observing domain use (e.g., lookup patterns, content hosted)-often too late to prevent miscreants from reaping benefits of the attacks that they launch. As a complement to these systems, we explore the extent to which features evident at domain registration indicate a domain's subsequent use for malicious activity. We develop PREDATOR, an approach that uses only time-of-registration features to establish domain reputation. We base its design on the intuition that miscreants need to obtain many domains to ensure profitability and attack agility, leading to abnormal registration behaviors (e.g., burst registrations, textually similar names). We evaluate PREDATOR using registration logs of second-level.com and.net domains over five months. PREDATOR achieves a 70% detection rate with a false positive rate of 0.35%, thus making it an effective- and early-first line of defense against the misuse of DNS domains. It predicts malicious domains when they are registered, which is typically days or weeks earlier than existing DNS blacklists.
KW - Domain registration
KW - Early detection
KW - Reputation system
UR - http://www.scopus.com/inward/record.url?scp=84995504000&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84995504000&partnerID=8YFLogxK
U2 - 10.1145/2976749.2978317
DO - 10.1145/2976749.2978317
M3 - Conference contribution
AN - SCOPUS:84995504000
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1568
EP - 1579
BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 24 October 2016 through 28 October 2016
ER -