On the Potential of Proactive Domain Blacklisting Mrk Flegyhzi, - - PowerPoint PPT Presentation

on the potential of proactive domain blacklisting
SMART_READER_LITE
LIVE PREVIEW

On the Potential of Proactive Domain Blacklisting Mrk Flegyhzi, - - PowerPoint PPT Presentation

Nov 18, 2023 246 likes •658 views

On the Potential of Proactive Domain Blacklisting Mrk Flegyhzi, Christian Kreibich and Vern Paxson ICSI, Berkeley Spam domain registrations Kreibich et al., Spamcraft: An inside look at spam campaign orchestration LEET 2009 (CCIED:

slide-1
SLIDE 1

On the Potential of Proactive Domain Blacklisting

Márk Félegyházi, Christian Kreibich and Vern Paxson ICSI, Berkeley

slide-2
SLIDE 2

2

Spam domain registrations

Kreibich et al., “Spamcraft: An inside look at spam campaign orchestration” LEET 2009

(CCIED: The Collaborative Center for Internet Epidemiology and Defenses)

slide-3
SLIDE 3

3

Spam domain registrations

Kreibich et al., “Spamcraft: An inside look at spam campaign orchestration” LEET 2009

(CCIED: The Collaborative Center for Internet Epidemiology and Defenses)

  • domains dropped soon after

blacklisted

slide-4
SLIDE 4

4

Spam domain registrations

Kreibich et al., “Spamcraft: An inside look at spam campaign orchestration” LEET 2009

(CCIED: The Collaborative Center for Internet Epidemiology and Defenses)

  • domains dropped soon after

blacklisted

  • domains registered in batches
slide-5
SLIDE 5

5

Proactive domain clustering

slide-6
SLIDE 6

6

Proactive domain clustering

slide-7
SLIDE 7

7

Name server features

.COM zone file - NS records

slide-8
SLIDE 8

8

Name server features

.COM zone file - NS records

slide-9
SLIDE 9

9

Name server features

.COM zone file - NS records

slide-10
SLIDE 10

10

Name server features

.COM zone file - NS records

slide-11
SLIDE 11

11

Name server features

.COM zone file - NS records

slide-12
SLIDE 12

12

Registration features

WHOIS registry records

slide-13
SLIDE 13

13

Registration features

WHOIS registry records

slide-14
SLIDE 14

14

Registration features

WHOIS registry records

slide-15
SLIDE 15

15

Evaluation

slide-16
SLIDE 16

16

Evaluation

slide-17
SLIDE 17

17

Evaluation

slide-18
SLIDE 18

18

Evaluation

slide-19
SLIDE 19

19

Evaluation

slide-20
SLIDE 20

20

Prediction accuracy

slide-21
SLIDE 21

21

Prediction accuracy

  • good true positive rate, only few false positives
  • # of false positives vary across clusters

– 84% of clusters have no potential FPs (unknown)

slide-22
SLIDE 22

22

A note on false positives

  • some other clusters (example: 123 domains, 119 FP)

– many noun-noun domains

slide-23
SLIDE 23

23

A note on false positives

  • some other clusters (example: 123 domains, 119 FP)

– many noun-noun domains

slide-24
SLIDE 24

24

A note on false positives

  • some other clusters (example: 123 domains, 119 FP)

– many noun-noun domains

slide-25
SLIDE 25

25

A note on false positives

  • some other clusters (example: 123 domains, 119 FP)

– many noun-noun domains

slide-26
SLIDE 26

26

A note on false positives

  • some other clusters (example: 123 domains, 119 FP)

– many noun-noun domains

  • large cluster: 1746 domains

– part of a set of 80k domains – registered under a single name in Albania in Jan and Feb 2010

slide-27
SLIDE 27

27

Time to blacklisting

slide-28
SLIDE 28

28

Time to blacklisting

slide-29
SLIDE 29

29

Time to blacklisting

slide-30
SLIDE 30

30

Summary

  • domains registered and used in clusters
slide-31
SLIDE 31

31

Summary

  • domains registered and used in clusters
  • more malicious domains based on a few seeds and

domain registry information

slide-32
SLIDE 32

32

Summary

  • domains registered and used in clusters
  • more malicious domains based on a few seeds and

domain registry information

  • good accuracy

– 73% of inferred domains on blacklists – 93% of domains are suspicious – false positives are often true positives

slide-33
SLIDE 33

33

Summary

  • domains registered and used in clusters
  • more malicious domains based on a few seeds and

domain registry information

  • good accuracy

– 73% of inferred domains on blacklists – 93% of domains are suspicious – false positives are often true positives

  • faster than blacklists for 92% of the inferred malicious

domains

slide-34
SLIDE 34

34

Summary

  • domains registered and used in clusters
  • more malicious domains based on a few seeds and

domain registry information

  • good accuracy

– 73% of inferred domains on blacklists – 93% of domains are suspicious – false positives are often true positives

  • faster than blacklists for 92% of the inferred malicious

domains

early response to spam

slide-35
SLIDE 35

35

Spam and click volumes

Kanich et al., “Spamalytics: An empirical analysis of spam marketing conversion” CCS 2008

(CCIED: The Collaborative Center for Internet Epidemiology and Defenses)

slide-36
SLIDE 36

36

Spam and click volumes

Kanich et al., “Spamalytics: An empirical analysis of spam marketing conversion” CCS 2008

(CCIED: The Collaborative Center for Internet Epidemiology and Defenses)

slide-37
SLIDE 37

37

Name server ages

slide-38
SLIDE 38

38

NS features

  • 82.2% of domains encounter fresh name servers
slide-39
SLIDE 39

39

Registration clusters

slide-40
SLIDE 40

40

McAfee SiteAdvisor