Related papers: Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

URL: http://arxiv.org/abs/2502.09549v1
Date: Thu, 13 Feb 2025 18:02:48 GMT
Title: Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks
Authors: Kyungchan Lim, Kiho Lee, Raffaele Sommese, Mattis Jonker, Ricky Mok, kc claffy, Doowon Kim,
Abstract summary: Phishing continues to pose a significant cybersecurity threat.<n>It is essential to address this fundamental challenge at the root, particularly in phishing domains.<n> Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites.
Score: 3.1043447355364813
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Phishing continues to pose a significant cybersecurity threat. While blocklists currently serve as a primary defense, due to their reactive, passive nature, these delayed responses leave phishing websites operational long enough to harm potential victims. It is essential to address this fundamental challenge at the root, particularly in phishing domains. Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites. We conduct a comprehensive longitudinal analysis of 690,502 unique phishing domains, spanning a 39 month period, to examine their characteristics and behavioral patterns throughout their lifecycle-from initial registration to detection and eventual deregistration. We find that 66.1% of the domains in our dataset are maliciously registered, leveraging cost-effective TLDs and targeting brands by mimicking their domain names under alternative TLDs (e.g., .top and .tk) instead of the TLDs under which the brand domains are registered (e.g., .com and .ru). We also observe minimal improvements in detection speed for maliciously registered domains compared to compromised domains. Detection times vary widely across blocklists, and phishing domains remain accessible for an average of 11.5 days after detection, prolonging their potential impact. Our systematic investigation uncovers key patterns from registration through detection to deregistration, which could be leveraged to enhance anti-phishing active defenses at the DNS level.

Related papers

A Study of Effectiveness of Brand Domain Identification Features for Phishing Detection in 2025 [0.0]
Brand Domain Identification serves as a crucial step in many phishing detection approaches. This study systematically evaluates the effectiveness of features employed over the past decade for BDI.
arXiv Detail & Related papers (2025-03-09T07:14:04Z)
MANTIS: Detection of Zero-Day Malicious Domains Leveraging Low Reputed Hosting Infrastructure [6.214359156708907]
Existing detection mechanisms are either too late to catch such malicious domains due to limited information and their short life spans or unable to catch them due to evasive techniques such as cloaking and captcha. We build MANTIS, a system that not only generates daily blocklists of malicious domains but also is able to predict malicious domains on-demand. On average, our models achieve a precision of 99.7%, a recall of 86.9% with a very low false positive rate (FPR) of 0.1% and on average detects 19K new malicious domains per day.
arXiv Detail & Related papers (2025-02-13T21:46:34Z)
DomainDynamics: Lifecycle-Aware Risk Timeline Construction for Domain Names [2.6217304977339473]
DomainDynamics is a novel system designed to predict domain name risks by considering their lifecycle stages. In an experiment involving over 85,000 actual malicious domains from malware and phishing incidents, DomainDynamics achieved an 82.58% detection rate with a low false positive rate of 0.41%.
arXiv Detail & Related papers (2024-10-02T23:33:13Z)
Say No to Freeloader: Protecting Intellectual Property of Your Deep Model [52.783709712318405]
Compact Un-transferable Pyramid Isolation Domain (CUPI-Domain) serves as a barrier against illegal transfers from authorized to unauthorized domains. We propose CUPI-Domain generators, which select features from both authorized and CUPI-Domain as anchors. We provide two solutions for utilizing CUPI-Domain based on whether the unauthorized domain is known.
arXiv Detail & Related papers (2024-08-23T15:34:33Z)
Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates [1.135267457536642]
DNS dynamic updates represent an inherently vulnerable mechanism. Non-secure DNS updates leave domains susceptible to a novel form of attack termed zone poisoning. We undertook a comprehensive campaign involving the notification of Computer Security Incident Response Teams.
arXiv Detail & Related papers (2024-05-30T09:23:53Z)
SecureReg: Combining NLP and MLP for Enhanced Detection of Malicious Domain Name Registrations [0.0]
This paper introduces a cutting-edge approach for identifying suspicious domains at the onset of the registration process. The proposed system analyzes semantic and numerical attributes by leveraging a novel combination of Natural Language Processing (NLP) techniques. With an F1 score of 84.86% and an accuracy of 84.95% on the SecureReg dataset, it effectively detects malicious domain registrations.
arXiv Detail & Related papers (2024-01-06T11:43:57Z)
PhishReplicant: A Language Model-based Approach to Detect Generated Squatting Domain Names [2.3999111269325266]
Domain squatting is a technique used by attackers to create domain names for phishing sites. We propose a system called PhishReplicant that detects generated squatting domains (GSDs) by focusing on the linguistic similarity of domain names.
arXiv Detail & Related papers (2023-10-18T07:41:41Z)
DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z)
Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection [52.08301776698373]
We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain) CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains. We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
arXiv Detail & Related papers (2023-03-20T13:07:11Z)
IDM: An Intermediate Domain Module for Domain Adaptive Person Re-ID [58.46907388691056]
We argue that the bridging between the source and target domains can be utilized to tackle the UDA re-ID task. We propose an Intermediate Domain Module (IDM) to generate intermediate domains' representations on-the-fly. Our proposed method outperforms the state-of-the-arts by a large margin in all the common UDA re-ID tasks.
arXiv Detail & Related papers (2021-08-05T07:19:46Z)
Towards Corruption-Agnostic Robust Domain Adaptation [76.66523954277945]
We investigate a new task, Corruption-agnostic Robust Domain Adaptation (CRDA): to be accurate on original data and robust against unavailable-for-training corruptions on target domains. We propose a new approach based on two technical insights into CRDA: 1) an easy-to-plug module called Domain Discrepancy Generator (DDG) that generates samples that enlarge domain discrepancy to mimic unpredictable corruptions; 2) a simple but effective teacher-student scheme with contrastive loss to enhance the constraints on target domains.
arXiv Detail & Related papers (2021-04-21T06:27:48Z)
TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack. Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets. TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
arXiv Detail & Related papers (2021-03-10T19:03:38Z)

This list is automatically generated from the titles and abstracts of the papers in this site.