Home / News

New Technique Detects and Eliminates Abusive Domains at Time of Registration

Research from PREDATOR showing samples of brand-new registered spammer domains and blacklisting delays; some delays as long as several weeks, or even several months

A team of researchers from Princeton University and the University of California has developed a machine-learning algorithm named PREDATOR that can accurately establish domain reputation at the time of domain registration.

PREDATOR which stands for 'Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration,' is based on the notion that criminals need to obtain many domains to ensure profitability and attack agility, leading to abnormal registration behaviors such as burst registrations and textually similar names. "The intuition has always been that the way that malicious actors use online resources somehow differs fundamentally from the way legitimate actors use them," says Princeton University computer science professor Nick Feamster — one of the researchers who worked on the project. "We were looking for those signals: what is it about a domain name that makes it automatically identifiable as a bad domain name?"

The research team which, in addition to Feamster, included recently graduated Ph.D. student Shuang Hao, Alex Kantchelian and Vern Paxson from the University of California-Berkeley and Brad Miller from Google, presented their paper at the 2016 ACM Conference on Computer and Communications Security on Oct. 27. They explained:

"Miscreants register thousands of new domains every day to launch Internet-scale attacks, such as spam, phishing, and drive-by downloads. Quickly and accurately determining a domain's reputation (association with malicious activity) provides a powerful tool for mitigating threats and protecting users. Yet, existing domain reputation systems work by observing domain use (e.g., lookup patterns, content hosted) — often too late to prevent miscreants from reaping benefits of the attacks that they launch. ... Our results show that PREDATOR can provide more accurate and earlier detection compared to existing blacklists, and significantly reduce the number of suspicious domains requiring more resource-intensive or time-consuming inspection."

PREDATOR was evaluated using registration logs of second-level .com and .net domains over five months and was found achieving 70% detection rate with a false positive rate of 0.35%. Although the performance is not perfect, the group believes their system "enables prioritizing domains for subsequent, detailed analysis, and to find more malicious pages given a fixed amount of resources (e.g., via URL crawlers or human-involved identification)."

As valuable as conducting research studies such as PREDATOR are, Feamster has expressed concerns over looming restriction concerns as a result of the new upcoming Federal Communications Commission (FCC) privacy rules not may have unintended consequences within the research community. "Although the forthcoming rulemaking targets the collection, use, and sharing of customer data with 'third parties,' an important — and oft-forgotten — facet of this discussion is that (1) ISPs rely on the collection, use, and sharing of CPNI to operate and secure their networks and (2) network researchers (myself included) rely on this data to conduct our research." See Feamster's post published earlier today.

By CircleID Reporter – CircleID's internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor


Sponsored byVerisign

Brand Protection

Sponsored byAppdetex