MANTIS: Detection of Zero-Day Malicious Domains Leveraging Low Reputed Hosting Infrastructure
- URL: http://arxiv.org/abs/2502.09788v1
- Date: Thu, 13 Feb 2025 21:46:34 GMT
- Title: MANTIS: Detection of Zero-Day Malicious Domains Leveraging Low Reputed Hosting Infrastructure
- Authors: Fatih Deniz, Mohamed Nabeel, Ting Yu, Issa Khalil,
- Abstract summary: Existing detection mechanisms are either too late to catch such malicious domains due to limited information and their short life spans or unable to catch them due to evasive techniques such as cloaking and captcha.<n>We build MANTIS, a system that not only generates daily blocklists of malicious domains but also is able to predict malicious domains on-demand.<n>On average, our models achieve a precision of 99.7%, a recall of 86.9% with a very low false positive rate (FPR) of 0.1% and on average detects 19K new malicious domains per day.
- Score: 6.214359156708907
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Internet miscreants increasingly utilize short-lived disposable domains to launch various attacks. Existing detection mechanisms are either too late to catch such malicious domains due to limited information and their short life spans or unable to catch them due to evasive techniques such as cloaking and captcha. In this work, we investigate the possibility of detecting malicious domains early in their life cycle using a content-agnostic approach. We observe that attackers often reuse or rotate hosting infrastructures to host multiple malicious domains due to increased utilization of automation and economies of scale. Thus, it gives defenders the opportunity to monitor such infrastructure to identify newly hosted malicious domains. However, such infrastructures are often shared hosting environments where benign domains are also hosted, which could result in a prohibitive number of false positives. Therefore, one needs innovative mechanisms to better distinguish malicious domains from benign ones even when they share hosting infrastructures. In this work, we build MANTIS, a highly accurate practical system that not only generates daily blocklists of malicious domains but also is able to predict malicious domains on-demand. We design a network graph based on the hosting infrastructure that is accurate and generalizable over time. Consistently, our models achieve a precision of 99.7%, a recall of 86.9% with a very low false positive rate (FPR) of 0.1% and on average detects 19K new malicious domains per day, which is over 5 times the new malicious domains flagged daily in VirusTotal. Further, MANTIS predicts malicious domains days to weeks before they appear in popular blocklists.
Related papers
- Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks [3.1043447355364813]
Phishing continues to pose a significant cybersecurity threat.<n>It is essential to address this fundamental challenge at the root, particularly in phishing domains.<n> Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites.
arXiv Detail & Related papers (2025-02-13T18:02:48Z) - DomainDynamics: Lifecycle-Aware Risk Timeline Construction for Domain Names [2.6217304977339473]
DomainDynamics is a novel system designed to predict domain name risks by considering their lifecycle stages.
In an experiment involving over 85,000 actual malicious domains from malware and phishing incidents, DomainDynamics achieved an 82.58% detection rate with a low false positive rate of 0.41%.
arXiv Detail & Related papers (2024-10-02T23:33:13Z) - Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates [1.135267457536642]
DNS dynamic updates represent an inherently vulnerable mechanism.
Non-secure DNS updates leave domains susceptible to a novel form of attack termed zone poisoning.
We undertook a comprehensive campaign involving the notification of Computer Security Incident Response Teams.
arXiv Detail & Related papers (2024-05-30T09:23:53Z) - Robust Domain Misinformation Detection via Multi-modal Feature Alignment [49.89164555394584]
We propose a robust domain and cross-modal approach for multi-modal misinformation detection.
It reduces the domain shift by aligning the joint distribution of textual and visual modalities.
We also propose a framework that simultaneously considers application scenarios of domain generalization.
arXiv Detail & Related papers (2023-11-24T07:06:16Z) - Measuring CDNs susceptible to Domain Fronting [2.609441136025819]
Domain fronting is a network communication technique that involves leveraging content delivery networks (CDNs) to disguise the final destination of network packets.
This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems.
We propose a systematic approach to discover CDNs that are still prone to domain fronting.
arXiv Detail & Related papers (2023-10-27T02:04:19Z) - Multi-Instance Adversarial Attack on GNN-Based Malicious Domain
Detection [8.072660302473508]
Malicious domain detection (MDD) is an open security challenge that aims to detect if an Internet domain is associated with cyber-attacks.
GNN-based MDD uses DNS logs to represent Internet domains as nodes in a maliciousness graph (DMG)
We introduce MintA, an inference-time multi-instance adversarial attack on GNN-based MDDs.
arXiv Detail & Related papers (2023-08-22T19:51:16Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - Model Barrier: A Compact Un-Transferable Isolation Domain for Model
Intellectual Property Protection [52.08301776698373]
We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain)
CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains.
We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
arXiv Detail & Related papers (2023-03-20T13:07:11Z) - Forget Less, Count Better: A Domain-Incremental Self-Distillation
Learning Benchmark for Lifelong Crowd Counting [51.44987756859706]
Off-the-shelf methods have some drawbacks to handle multiple domains.
Lifelong Crowd Counting aims at alleviating the catastrophic forgetting and improving the generalization ability.
arXiv Detail & Related papers (2022-05-06T15:37:56Z) - Domain Agnostic Learning for Unbiased Authentication [47.85174796247398]
We propose a domain-agnostic method that eliminates domain-difference without domain labels.
latent domains are discovered by learning the heterogeneous predictive relationships between inputs and outputs.
We extend our method to a meta-learning framework to pursue more thorough domain-difference elimination.
arXiv Detail & Related papers (2020-10-11T14:05:16Z) - Domain Balancing: Face Recognition on Long-Tailed Domains [49.4688709764188]
We propose a novel Domain Balancing (DB) mechanism to handle the long-tailed domain distribution problem.
In this paper, we first propose a Domain Frequency Indicator (DFI) to judge whether a sample is from head domains or tail domains.
Secondly, we formulate a light-weighted Residual Balancing Mapping (RBM) block to balance the domain distribution by adjusting the network according to DFI.
Finally, we propose a Domain Balancing Margin (DBM) in the loss function to further optimize the feature space of the tail domains to improve generalization.
arXiv Detail & Related papers (2020-03-30T20:16:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.