Comparison of DNS Based Methods for Detecting Malicious Domains

  • Eyal Paz
  • Ehud GudesEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12161)


The Domain Name System (DNS) is an essential component of the internet infrastructure, used to translates domain names into IP addresses. Threat actors often abuse this system by registering and taking over thousands of Internet domains every day. These serve to launch various types of cyber-attacks, such as spam, phishing, botnets, and drive-by downloads. Currently, the main countermeasure addressing such threat is reactive blacklisting. Since cyber-attacks are mainly performed for short periods, reactive methods are usually too late and hence ineffective. As a result, new approaches to early identification of malicious websites are needed. In the recent decade, many novel papers were published offering systems to calculate domain reputation for domains that are not listed in common black-lists. This research implements three such approaches and evaluates their effectiveness in detecting malicious phishing domains. The social network analysis technique performed best, as it achieved a 60.71% detection rate with a false positive rate of only 0.35%.


Cyber security DNS Reputation system Attack Phishing Social network analysis Privacy-preserving security 


  1. 1.
    Weimer, F.: Passive DNS replication. In: Proceedings of FIRST Conference on Computer Security Incident, p. 98 (2005)Google Scholar
  2. 2.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of NDSS, pp. 1–17 (2011)Google Scholar
  3. 3.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of USENIX Security Symposium, pp. 273–290 (2010)Google Scholar
  4. 4.
    Gao, H., et al.: An empirical reexamination of global DNS behavior. In: Proceedings of the ACM SIGCOMM 2013 Conference, pp. 267–278 (2013)Google Scholar
  5. 5.
    Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1568–1579 (2016)Google Scholar
  6. 6.
    Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web. Stanford InfoLab (1999)Google Scholar
  7. 7.
    Sunil, A.N.V., Sardana, A.: A pagerank based detection technique for phishing web sites. In: Proceedings of 2012 IEEE Symposium on Computers & Informatics (ISCI), pp. 58–63. IEEE (2012)Google Scholar
  8. 8.
    Mishsky, I., Gal-Oz, N., Gudes, E.: A topology based flow model for computing domain reputation. In: Samarati, P. (ed.) DBSec 2015. LNCS, vol. 9149, pp. 277–292. Springer, Cham (2015). Scholar
  9. 9.
    Marchal, S., François, J., State, R., Engel, T.: Proactive discovery of phishing related domain names. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 190–209. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.The Open University of IsraelRaananaIsrael
  2. 2.Department of Computer ScienceBen-Gurion UniversityBeer-ShevaIsrael

Personalised recommendations