International Journal On Cyber Situational Awareness (IJCSA)
ISSN: (Print) 2057-2182 ISSN: (Online) 2057-2182
Published Semi-annually. Est. 2014
Dr Cyril Onwubiko, Chair – Cyber Security & Intelligence, E-Security Group, Research Series, London, UK; IEEE UK & Ireland Section Secretary
Professor Frank Wang, Head of School / Professor of Future Computing, Chair IEEE Computer Society, UK&RI, School of Computing, University of Kent, Canterbury, UK
Professor Karen Renaud, Professor of Cyber Security, University of Abertay, Dundee, Scotland, UK
Heuristic Methods for Efficient Identification of Abusive Domain Names
Egon Kidmose, Erwin Lansing, Søren Brandbyge, Jens Myrup Pedersen
Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cyber-criminals also make use of these to fulfill their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. We relate this to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. WHOIS data is collected for 10.000 second level domains for 66 days, heuristics are applied, and the resulting rankings guide a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, and still identify 5 domains which are actively abused during our observation period.
Keyword: DNS, Domain Name, Abuse, Heuristics, Top-Level Domain
Volume 3. No. 1
Date: Dec. 2018
Reference to this paper should be made as follows: Kidmose, E., Lansing, E., Brandbyge, S., & Pedersen, J. M. (2018). Heuristic methods for efficient identification of abusive domain names. International Journal on Cyber Situational Awareness, Vol. 3, No. 1, pp 121-142.