University of Twente Student Theses


SIDekICk - Detecting Malicious Domain Names in the .nl Zone

Müller, M. C. (2015) SIDekICk - Detecting Malicious Domain Names in the .nl Zone.

[img] PDF
Abstract:The Domain Name System (DNS) plays a central role in the Internet. It allows the translation of human-readable domain names to (alpha-) numeric IP addresses in a fast and reliable manner. However, domain names not only allow Internet users to access benign services on the Internet but are used by hackers and other criminals as well, for example to host phishing campaigns, to distribute malware, and to coordinate botnets. Registry operators, which are managing top-level domains (TLD) like .com, .net or .nl, disapprove theses kinds of usage of their domain names because they could harm the reputation of their zone and would consequentially lead to loss of income and an insecure Internet as a whole. Up to today, only little research has been conducted with the intention to fight malicious domains from the view of a TLD registry. This master thesis focuses on the detection of malicious domain names for the .nl country code TLD. Therefore, we analyse the characteristics of known malicious .nl domains which have been used for phishing and by botnets. We confirm findings from previous research in .com and .net and evaluate novel characteristics including query patterns for domains in quarantine and recursive resolver relations. Based on this analysis, we have developed a prototype of a detection system called SIDekICk. It is able to detect newly registered phishing domains and other online scams as soon as they propagate through the Internet with a false positive rate of 0,3 percent. It relies solely on features that can be collected from the vantage point of any TLD registry like DNS query patterns, geographic features of querying resolvers, and domain registration information. A second component of SIDekICk reports suspicious domain names that were formerly used for benign purposes but might have been compromised to become part of a malware infection chain or a phishing campaign. This component demonstrates that DNS traffic analysis has the potential to detect compromised domains as well and in this thesis, we suggest additional features to improve the detection rate.
Item Type:Essay (Master)
SIDN, Arnhem, Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page