New gTLD Resolution Behavior Analysis and Malicious Domain Detection Method

Yang Donghui; Zeng Bin; Li Zhenyu

doi:10.7544/issn1000-1239.202220846

Journal of Computer Research and Development > 2024 > 61(4): 1038-1048. > DOI: 10.7544/issn1000-1239.202220846

Yang Donghui, Zeng Bin, Li Zhenyu. New gTLD Resolution Behavior Analysis and Malicious Domain Detection Method[J]. Journal of Computer Research and Development, 2024, 61(4): 1038-1048. DOI: 10.7544/issn1000-1239.202220846

Citation:

PDF (1276 KB)

New gTLD Resolution Behavior Analysis and Malicious Domain Detection Method

Yang Donghui^{1, 2,},
Zeng Bin^3, ,,
Li Zhenyu^{1, 2}

1.
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190
2.
University of Chinese Academy of Sciences, Beijing 100049
3.
Changsha University, Changsha 410022

Funds: This work was supported by the National Natural Science Foundation of China (U20A20180, 62072437).

More Information

Author Bio:
Yang Donghui: born in 1994. PhD. His main research interests include the domain name system and Internet measurement

Zeng Bin: born in 1979. PhD. His main research interests include artificial intelligence for IT Operations, network security, and big data analysis

Li Zhenyu: born in 1980. PhD, professor. His main research interests include Internet measurement, network protocol and networked systems
Received Date: October 08, 2022
Revised Date: June 25, 2023
Available Online: January 29, 2024

Graphical Abstract

Abstract

Abstract

Since ICANN initiated the delegation of new generic top-level domains (new gTLDs) in 2013, more than a thousand of new gTLDs have been added to the domain name system (DNS). Previous work has shown that while new gTLD domains bring flexibility to registrants, they are also commonly used for malicious behavior because of their low registration costs, and it is important to identify malicious new gTLD domains. However, because of the unique characteristics (e.g., domain length) of new gTLD domains, the accuracy is low when applying existing malicious domain identification methods to malicious new gTLD domain identification. To address this issue, we first characterize the resolution behavior of new gTLD domains based on massive domain name resolution data from five aspects including the number of associated SLDs per new gTLD, query volume, query failure rate, content replication and hosting infrastructure sharing. Then we analyze the resolution behavior of malicious new gTLD domains and find their unique behavioral characteristics in terms of content hosting infrastructure concentration, the number of FQDNs per SLD, the number of queries, the distribution of end users’ network footprints, and the distribution of the length of SLDs. Finally, according to these features, we design a malicious new gTLD domain identification method based on random forest. The results of the experiment show that the proposed method achieves 94% accuracy, which is better than the existing malicious domain identification methods.
- domain name system (DNS),
- new gTLD,
- Internet measurement,
- behavior analysis,
- malicious domain detection

FullText(HTML)

References (20)

References

[1]	Korczynśki M, Wullink M, Tajalizadehkhoob S, et al. Cybercrime after the sunrise: A statistical analysis of DNS abuse in new gTLDs[C]//Proc of the 13th Asia Conf on Computer and Communications Security. New York: ACM, 2018: 609−623
[2]	樊昭杉,王青,刘俊荣,等. 域名滥用行为检测技术综述[J]. 计算机研究与发展,2022,59(11):2581−2605 Fan Zhaoshan, Wang Qing, Liu Junrong, et al. Survey on domain name abuse detection technology[J]. Journal of Computer Research and Development, 2022, 59(11): 2581−2605 (in Chinese)
[3]	Halvorson T, Der M F, Foster I, et al. From . academy to . zone: An analysis of the new TLD land rush[C]//Proc of the 15th Internet Measurement Conf. New York: ACM, 2015: 381−394
[4]	Chen Q A, Osterweil E, Thomas M, et al. MitM attack by name collision: Cause analysis and vulnerability assessment in the new gTLD era[C]//Proc of the 37th IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2016: 675−690
[5]	Chen Q A, Thomas M, Osterweil E, et al. Client-side name collision vulnerability in the new gTLD era: A systematic study[C]//Proc of the 24th ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2017: 941−956
[6]	Pouryousef S, Dar M D, Ahmad S, et al. Extortion or expansion? An investigation into the costs and consequences of ICANN’s gTLD experiments[G]//LNCS 12048: Proc of the 21st Int Conf on Passive and Active Measurement. Berlin: Springer, 2020: 141−157
[7]	Hao Shuang, Feamster N, Pandrangi R. Monitoring the initial DNS behavior of malicious domains[C]//Proc of the 11th Internet Measurement Conf. New York: ACM, 2011: 269−278
[8]	Hao Shuang, Kantchelian A, Miller B, et al. Predator: Proactive recognition and elimination of domain abuse at time-of-registration[C]//Proc of the 23rd ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2016: 1568−1579
[9]	Manadhata P K, Yadav S, Rao P, et al. Detecting malicious domains via graph inference[C]// Proc of the 7th Workshop on Artificial Intelligent and Security Workshop. New York: ACM, 2014: 59−60
[10]	Schüppen S, Teubert D, Herrmann P, et al. FANCI: Feature-based automated NXdomain classification and intelligence[C]// Proc of the 27th USENIX Security Symp. Berkeley, CA: USENIX Association, 2018: 1165−1181
[11]	Yu Bin, Gray D L, Pan Jie, et al. Inline DGA detection with deep networks[C]//Proc of the 17th IEEE Int Conf on Data Mining Workshops (ICDMW). Piscataway, NJ: IEEE, 2017: 683−692
[12]	Lei Kai, Fu Qiuai, Ni Jiake, et al. Detecting malicious domains with behavioral modeling and graph embedding[C]//Proc of the 39th Int Conf on Distributed Computing Systems (ICDCS). Piscataway, NJ: IEEE, 2019: 601−611
[13]	greenSec GmbH. nTLDStats[EB/OL]. [2019-05-23]. https://ntldstats.com
[14]	nexB Inc. public suffix2 2.20191221[EB/OL]. [2020-03-01].https://pypi.org/project/publicsuffix2/
[15]	Gao Hongyu, Yegneswaran V, Chen Yan, et al. An empirical reexamination of global DNS behavior[C]//Proc of the 27th ACM SIGCOMM Conf. New York: ACM, 2013: 267−278
[16]	Ager B, Mühlbauer W, Smaragdakis G, et al. Web content cartography[C]//Proc of the 11th ACM SIGCOMM Internet Measurement Conf. New York: ACM, 2011: 585−600
[17]	Fagin R, Kumar R, Sivakumar D. Comparing top k lists[J]. SIAM Journal on Discrete Mathematics, 2003, 17(1): 134−160 doi: 10.1137/S0895480102412856
[18]	McCown F, Nelson M L. Agreeing to disagree: Search engines and their public interfaces[C]//Proc of the 7th ACM/IEEE-CS Joint Conf on Digital Libraries. New York: ACM, 2007: 309−318
[19]	Callahan T, Allman M, Rabinovich M. On modern DNS behavior and properties[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(3): 7−15 doi: 10.1145/2500098.2500100
[20]	Allman M. Putting DNS in context[C]//Proc of the 20th Internet Measurement Conf. New York: ACM, 2020: 309−316

Cited By

Cited by

Periodical cited type(7)

1.	冯杨洋，汪庆，舒继武. 大模型时代下的存储系统挑战与技术发展. 大数据. 2025(01): 79-91 .
2.	栾昊立，王晓东，杨锐，郝建宇，赵铭浩，尹祖新，王丽琼. AI智算发展对高速光模块的应用需求研究. 邮电设计技术. 2024(06): 7-11 .
3.	刘少堃，何仲廉，李彬，李超峰. 基于大模型的电子病历自动生成系统的设计与应用探讨. 中国数字医学. 2024(08): 8-13 .
4.	孙一尧，刘馨，刘晓丹，李琳. 人工智能应用设计创新与非物质文化遗产结合——以新疆毛皮画推广APP为例. 鞋类工艺与设计. 2024(15): 151-153 .
5.	童俊杰，申佳，赫罡，张奎. 运营商智算中心建设思路及方案. 邮电设计技术. 2024(09): 68-73 .
6.	丛凯，陈宏，苏征，任心钰，黄若铖，李国. 人工智能大模型在电子政务中的应用研究. 中国信息界. 2024(06): 92-94 .
7.	赵明江，刘艳梅，杨婧一，张星奎，贾占宇. 基于非Transformer架构大模型的技术研究及应用探索. 电力大数据. 2024(06): 11-21 .