Modeling malicious domain name take-down dynamics: Why eCrime pays

  title={Modeling malicious domain name take-down dynamics: Why eCrime pays},
  author={Jonathan M. Spring},
  journal={2013 APWG eCrime Researchers Summit},
  • Jonathan M. Spring
  • Published 1 September 2013
  • Computer Science
  • 2013 APWG eCrime Researchers Summit
Domain names drive the ubiquitous use of the Internet. Criminals and adversaries also use domain names for their enterprise. Defenders compete to remove or block such malicious domains. This is a complicated space on the Internet to measure comprehensively, as the malicious actors attempt to hide, the defenders do not like to share data or methods, and what data is public is not consistently formatted. This paper derives an ad hoc model of this competition on large, decentralized networks using… 

Figures from this paper

Global adversarial capability modeling

A model of global capability advancement, the adversarial capability chain (ACC), is proposed to fit the need for cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it.

Domain Name Lifetimes: Baseline and Threats

This paper focuses on ten prominent TLDs and observes that under most, the vast majority of lifetimes (95%) last exactly the minimum registration term of one year, and identifies lifetimes that are suspiciously short- lived.

Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking

This paper demonstrates a repeatable method for opensource measurement of fast-flux and domain parking, and measures representative trends over 5 years to help defenders better interrupt them.

The Ecosystem of Detection and Blocklisting of Domain Generation

A repeatable evaluation and comparison of the available open source detection methods is presented and it is recommended that Domain Generation Algorithm detection should also be similarly narrowly targeted to specific algorithms and specific malware families, rather than attempting to create general-purpose detection for machine-generated domains.

Blacklist Ecosystem Analysis Update: 2014

The results suggest that each blacklist describes a distinct sort of malicious activity, and support the assertion that blacklisting is not a sufficient defense; an organization needs other defensive measures to add depth, such as gray listing, behavior analysis, criminal penalties, speed bumps, and organizationspecific white lists.

Blacklist Ecosystem Analysis: Spanning Jan 2012 to Jun 2014

The results suggest that each blacklist describes a distinct sort of malicious activity and that even merging all lists there is no global ground truth to acquire.

Cyberfraud and the implications for effective risk-based responses: themes from UK research

The nature of the risk or threat posed by ‘cyberfraud’ - fraud with a cyber dimension – is examined empirically based on data reported by the public and business to Action Fraud. These are used to

Beyond the pretty penny: the Economic Impact of Cybercrime

This article assesses the shortcomings of existing cost estimates and proposes a theoretical framework to systematically identify the short and long-term impacts of cyber crime both at the agent and societal level, which serves as the foundation to assess the economic consequences of cybercrime beyond monetary costs by focusing on the impact on economic growth.

Thinking about intrusion kill chains as mechanisms

The result demonstrates that model accuracy can be improved by incorporating methods from philosophy of science and that mechanistic modeling of computer security incidents points toward areas for substantive improvement for computer security professionals.

Why Jenny can't figure out which of these messages is a covert information operation

We view foreign interference in US and UK elections via social manipulation through the lens of usable security. Our goal is to provide advice on what interventions on the socio-technical election



Building a Dynamic Reputation System for DNS

Notos, a dynamic reputation system for DNS, is proposed that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services.

EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

This paper introduces EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity, and uses 15 features that it extracts from the DNS traffic that allow it to characterize different properties of DNS names and the ways that they are queried.

Detecting Malware Domains at the Upper DNS Hierarchy

Kopis passively monitors DNS traffic at the upper levels of the DNS hierarchy, and is able to accurately detect malware domains by analyzing global DNS query resolution patterns.

Large Scale DNS Traffic Analysis of Malicious Internet Activity with a Focus on Evaluating the Response Time of Blocking Phishing Sites

It is found that there is significant overlap between the automatically identified fast-flux sites and those sites on the block list, and the initial indication is that finding and listing phishing sites is the bottleneck in propagating data to protect consumers from malicious phishing Sites.

Click Trajectories: End-to-End Analysis of the Spam Value Chain

This paper quantifies the full set of resources employed to monetize spam email -- including naming, hosting, payment and fulfillment -- using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites.

On the Potential of Proactive Domain Blacklisting

The potential of leveraging properties inherent to domain registrations and their appearance in DNS zone files to predict the malicious use of domains proactively is explored, using only minimal observation of known-bad domains to drive inference.

Correlating domain registrations and DNS first activity in general and for malware

The malicious domains are found to have a significantly different pattern than the standard domains, according to a comparison with the pattern of activity in domains that malicious software utilizes.

The Economics of Online Crime

This paper will focus on online crime, which has taken off as a serious industry since about 2004. Until then, much of the online nuisance came from amateur hackers who defaced websites and wrote

Examining the impact of website take-down on phishing

Empirical data on phishing website removal times and the number of visitors that the websites attract are analyzed, and it is concluded that website removal is part of the answer to phishing, but it is not fast enough to completely mitigate the problem.

Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing

It is found that 19% of phishing websites are recompromised within six months, and the rate of recompromise is much higher if they have been identified through web search, which means at least 18% of website compromises are triggered by these searches.