Abstract
Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)
Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012)
Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. LEET 10, 6 (2010)
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1568–1579. ACM (2016)
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 63–76. ACM (2013)
Moura, G.C., Müller, M., Wullink, M., Hesselman, C.: nDEWS: a new domains early warning system for TLDS. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 1061–1066. IEEE (2016)
Palo Alto Networks, Inc.: Minemeld threat intelligence sharing, 14 March 2018. https://github.com/PaloAltoNetworks/minemeld/wiki
Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secur. Comput. 9(5), 714–726 (2012)
Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists (2009)
Stevanovic, M., Pedersen, J.M., D’Alconzo, A., Ruehrup, S., Berger, A.: On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55, 142–158 (2015)
Vissers, T., Spooren, J., Agten, P., Jumpertz, D., Janssen, P., Van Wesemael, M., Piessens, F., Joosen, W., Desmet, L.: Exploring the ecosystem of malicious domain registrations in the .eu TLD. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 472–493. Springer (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kidmose, E., Gausel, K., Brandbyge, S., Pedersen, J.M. (2019). Assessing Usefulness of Blacklists Without the Ground Truth. In: Choraś, M., Choraś, R. (eds) Image Processing and Communications Challenges 10. IP&C 2018. Advances in Intelligent Systems and Computing, vol 892. Springer, Cham. https://doi.org/10.1007/978-3-030-03658-4_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-03658-4_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03657-7
Online ISBN: 978-3-030-03658-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)