PREMADOMA: An Operational Solution for DNS Registries to Prevent Malicious Domain Registrations

DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious activities on the Internet. In this paper, we design and evaluate PREMADOMA, a solution for DNS registries to predict malicious intent well before a domain name becomes operational. In contrast to blacklists, which only offer protection after some harm has already been done, this system can prevent domain names from being used before they can pose any threats. We advance the state of the art by leveraging recent insights into the ecosystem of malicious domain registrations, focusing explicitly on facilitators employed for bulk registration and similarity patterns in registrant information. We thoroughly evaluate the proposed prediction model’s performance and adaptability on an 11 month testing set, and address complex and domain-specific dataset challenges. Moreover, we have successfully deployed Premadoma in the production environment of the .eu ccTLD registry to detect and prevent malicious registrations, and have contributed to the take down of 58,966 registrations in 2018.

ISBN:978-1-4503-7628-0

Publication year:2019

BOF-keylabel:yes

IOF-keylabel:yes

Authors from:Private, Higher Education

Accessibility:Open