research-article

Open access

Premadoma: An Operational Solution to Prevent Malicious Domain Name Registrations in the .eu TLD

Authors:

Thomas Vissers,

Wouter JoosenAuthors Info & Claims

Digital Threats: Research and Practice , Volume 2, Issue 1

Article No.: 2, Pages 1 - 24

https://doi.org/10.1145/3419476

Published: 22 January 2021 Publication History

All formats PDF

Abstract

DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious activities on the Internet. In this article, we design and evaluate Premadoma, a solution for DNS registries to predict malicious intent well before a domain name becomes operational. In contrast to blacklists, which only offer protection after some harm has already been done, this system can prevent domain names from being used before they can pose any threats. We advance the state of the art by leveraging recent insights into the ecosystem of malicious domain registrations, focusing explicitly on facilitators employed for bulk registration and similarity patterns in registrant information. We thoroughly evaluate the proposed prediction model’s performance and adaptability on an 11-month testing set and address complex and domain-specific dataset challenges. Moreover, we have successfully deployed Premadoma in the operational environment of the .eu ccTLD registry, resulting in a decline of malicious registrations. Finally, we have identified and quantified three possible evasion patterns and have observed changes in the malicious registration ecosystem since Premadoma has been operationalized.

References

[1]

Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Conference on Security. USENIX Association, Berkeley, CA, 18--18. http://dl.acm.org/citation.cfm?id=1929820.192

Digital Library

[2]

Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou II, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the 20th USENIX Conference on Security. USENIX Association, Berkeley, CA, 27--27. http://dl.acm.org/citation.cfm?id=2028067.2028094.

[3]

Leyla Bilge, Sevil Sen, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2014. EXPOSURE: A passive DNS analysis service to detect and report malicious domains. ACM Transactions on Information and System Security (TISSEC) 16, 4 (2014), 14.

Digital Library

[4]

Usama M. Fayyad and Keki B. Irani. 1993. Multi-interval discretization of continuous-valued attributes for classification learning. In Proceedings of the 13th International Joint Conference on Artificial Intelligence, Ruzena Bajcsy (Ed.). Morgan Kaufmann, San Francisco, CA, 1022--1029. http://ijcai.org/Proceedings/93-2/Papers/022.pdf.

[5]

Mark Felegyhazi, Christian Kreibich, and Vern Paxson. 2010. On the potential of proactive domain blacklisting. In Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. USENIX Association, Berkeley, CA, 6--6. http://dl.acm.org/citation.cfm?id=1855686.1855692.

[6]

Eibe Frank and Ian H. Witten. 1998. Generating accurate rule sets without global optimization. In Proceedings of the 15th International Conference on Machine Learning (ICML’98). Morgan Kaufmann Publishers Inc., San Francisco, CA, 144--151.

[7]

Google. 2016. Google Safe Browsing. https://developers.google.com/safe-browsing/.

[8]

Shuang Hao, Nick Feamster, and Ramakant Pandrangi. 2011. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (IMC’11). Association for Computing Machinery, New York, NY, 269--278.

Digital Library

[9]

Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, New York, NY, 1568--1579.

[10]

Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, and Scott Hollenbeck. 2013. Understanding the domain registration behavior of spammers. In Proceedings of the 2013 Conference on Internet Measurement Conference. ACM, New York, NY, 63--76. http://doi.acm.org/10.1145/2504730.2504753.

[11]

Trevor Hastie, Robert Tibshirani, and Jerome Friedman. 2001. The Elements of Statistical Learning. Springer New York Inc., New York, NY.

[12]

ICANN. 2013. 2013 Registrar Accreditation Agreement. https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#whois-accuracy.

[13]

E. Kidmose, E. Lansing, S. Brandbyge, and J. M. Pedersen. 2018. Detection of malicious and abusive domain names. In 2018 1st International Conference on Data Intelligence and Security (ICDIS’18). IEEE, South Padre Island, TX, 49--56.

[14]

Louisa Lam and S. Y. Suen. 1997. Application of majority voting to pattern recognition: An analysis of its behavior and performance. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans 27, 5 (1997), 553--568.

Digital Library

[15]

He Liu, Kirill Levchenko, Márk Félegyházi, Christian Kreibich, Gregor Maier, Geoffrey M. Voelker, and Stefan Savage. 2011. On the effects of registrar-level intervention. In Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats (LEET’11). USENIX Association, 5.

Digital Library

[16]

MaxMind, Inc. 2016. GeoLite2 Free Downloadable Databases. https://dev.maxmind.com/geoip/geoip2/geolite2/.

[17]

Giovane C. M. Moura, Moritz Müller, Maarten Wullink, and Cristian Hesselman. 2016. nDEWS: A new domains early warning system for TLDs. In IEEE/IFIP Network Operations and Management Symposium (NOMS’16). IEEE, IEEE, Istanbul, Turkey, 1061--1066.

[18]

Rob Renaud. 2016. Gibberish Detector. https://github.com/rrenaud/Gibberish-Detector.

[19]

Jan Spooren, Thomas Vissers, Peter Janssen, Wouter Joosen, and Lieven Desmet. 2019. Premadoma: An operational solution for DNS registries to prevent malicious domain registrations. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC’19). Association for Computing Machinery, New York, NY, 557--567.

[20]

SURBL. 2016. SURBL - URI Reputation Data. http://www.surbl.org.

[21]

The Spamhaus Project Ltd. 2016. The Domain Block List. https://www.spamhaus.org/dbl/.

[22]

T. Vissers, P. Janssen, W. Joosen, and L. Desmet. 2019. Assessing the effectiveness of domain blacklisting against malicious DNS registrations. In 2019 IEEE Security and Privacy Workshops (SPW’19). IEEE, San Francisco, CA, 199--204.

[23]

Thomas Vissers, Jan Spooren, Pieter Agten, Dirk Jumpertz, Peter Janssen, Marc Van Wesemael, Frank Piessens, Wouter Joosen, and Lieven Desmet. 2017. Exploring the ecosystem of malicious domain registrations in the .eu TLD. In International Symposium on Research in Attacks, Intrusions, and Defenses, Marc Dacier, Michael Bailey, Michalis Polychronakis, and Manos Antonakakis (Eds.). Springer International Publishing, Cham, 472--493.

[24]

Michael Weber, Jun Wang, and Yuchen Zhou. 2018. Unsupervised clustering for identification of malicious domain campaigns. In Proceedings of the 1st Workshop on Radical and Experiential Security (RESEC’18). Association for Computing Machinery, New York, NY, 33--39.

[25]

Wei Xu, Kyle Sanders, and Yanxin Zhang. 2014. We know it before you do: Predicting malicious domains. In Proceedings of the 2014 Virus Bulletin International Conference. Virus Bulletin, Seattle, WA, 73--77.

[26]

L. Yujian and L. Bo. 2007. A normalized Levenshtein distance metric. IEEE Transactions on Pattern Analysis and Machine Intelligence 29, 6 (June 2007), 1091--1095.

Digital Library

Cited By

Silveira MCansian AKobayashi H(2025)Semi-supervised approach for detecting malicious domains in TLDs in their first queryInternational Journal of Information Security10.1007/s10207-025-00996-324:2Online publication date: 18-Feb-2025
https://doi.org/10.1007/s10207-025-00996-3
Çolhak FEcevit MDağ HCreutzburg R(2024)SecureReg: Combining NLP and MLP for Enhanced Detection of Malicious Domain Name Registrations2024 International Conference on Electrical, Computer and Energy Technologies (ICECET10.1109/ICECET61485.2024.10698551(1-6)Online publication date: 25-Jul-2024
https://doi.org/10.1109/ICECET61485.2024.10698551
Çolhak FEcevit MDağ HCreutzburg R(2024)Comparing Deep Neural Networks and Machine Learning for Detecting Malicious Domain Name Registrations2024 IEEE International Conference on Omni-layer Intelligent Systems (COINS)10.1109/COINS61597.2024.10622643(1-4)Online publication date: 29-Jul-2024
https://doi.org/10.1109/COINS61597.2024.10622643
Show More Cited By

Index Terms

Premadoma: An Operational Solution to Prevent Malicious Domain Name Registrations in the .eu TLD

Recommendations

PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Miscreants register thousands of new domains every day to launch Internet-scale attacks, such as spam, phishing, and drive-by downloads. Quickly and accurately determining a domain's reputation (association with malicious activity) provides a powerful ...
Premadoma: an operational solution for DNS registries to prevent malicious domain registrations
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious ...
Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains

A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most ...

Comments

Information & Contributors

Information

Published In

cover image Digital Threats: Research and Practice

Digital Threats: Research and Practice Volume 2, Issue 1

Special Issue on ACSAC'19: Part 2

March 2021

160 pages

EISSN:2576-5337

DOI:10.1145/3447873

Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA

Issue’s Table of Contents

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 January 2021

Accepted: 01 August 2020

Received: 01 May 2020

Published in DTRAP Volume 2, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Flemish Research Programme Cybersecurity
Research Fund KU Leuven
project commissioned by EURid

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
1,077
Total Downloads

Downloads (Last 12 months)322
Downloads (Last 6 weeks)37

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Silveira MCansian AKobayashi H(2025)Semi-supervised approach for detecting malicious domains in TLDs in their first queryInternational Journal of Information Security10.1007/s10207-025-00996-324:2Online publication date: 18-Feb-2025
https://doi.org/10.1007/s10207-025-00996-3
Çolhak FEcevit MDağ HCreutzburg R(2024)SecureReg: Combining NLP and MLP for Enhanced Detection of Malicious Domain Name Registrations2024 International Conference on Electrical, Computer and Energy Technologies (ICECET10.1109/ICECET61485.2024.10698551(1-6)Online publication date: 25-Jul-2024
https://doi.org/10.1109/ICECET61485.2024.10698551
Çolhak FEcevit MDağ HCreutzburg R(2024)Comparing Deep Neural Networks and Machine Learning for Detecting Malicious Domain Name Registrations2024 IEEE International Conference on Omni-layer Intelligent Systems (COINS)10.1109/COINS61597.2024.10622643(1-4)Online publication date: 29-Jul-2024
https://doi.org/10.1109/COINS61597.2024.10622643
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Silveira MMarcos da Silva LCansian AKobayashi H(2021)Detection of Newly Registered Malicious Domains through Passive DNS2021 IEEE International Conference on Big Data (Big Data)10.1109/BigData52589.2021.9671348(3360-3369)Online publication date: 15-Dec-2021
https://doi.org/10.1109/BigData52589.2021.9671348

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents