Heuristic Methods for Efficient Identification of Abusive Domain Names

International Journal On Cyber Situational Awareness (IJCSA)

ISSN: (Print) 2057-2182 ISSN: (Online) 2057-2182

DOI: 10.22619/IJCSA

Published Semi-annually. Est. 2014


Dr Cyril Onwubiko, Chair – Cyber Security & Intelligence, E-Security Group, Research Series, London, UK; IEEE UK & Ireland Section Secretary

Associate Editors:

Professor Frank Wang, Head of School / Professor of Future Computing, Chair IEEE Computer Society, UK&RI, School of Computing, University of Kent, Canterbury, UK

Professor Karen Renaud, Professor of Cyber Security, University of Abertay, Dundee, Scotland, UK

Heuristic Methods for Efficient Identification of Abusive Domain Names

Egon Kidmose, Erwin Lansing, Søren Brandbyge, Jens Myrup Pedersen


Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cyber-criminals also make use of these to fulfill their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. We relate this to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. WHOIS data is collected for 10.000 second level domains for 66 days, heuristics are applied, and the resulting rankings guide a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, and still identify 5 domains which are actively abused during our observation period.

Keyword: DNS, Domain Name, Abuse, Heuristics, Top-Level Domain

ISSN: 2057-2182

Volume 3. No. 1

DOI: 10.22619/IJCSA.2018.100123

Date: Dec. 2018

Reference to this paper should be made as follows: Kidmose, E., Lansing, E., Brandbyge, S., & Pedersen, J. M. (2018). Heuristic methods for efficient identification of abusive domain names. International Journal on Cyber Situational Awareness, Vol. 3, No. 1, pp 121-142.

PDF Download