University of Twente Student Theses


Complete Characterization of Publicly Available Domain Blacklists

Lukman, Ivan (2019) Complete Characterization of Publicly Available Domain Blacklists.

[img] PDF
Abstract:Domain names are not only used for benign purposes, like sharing information or buying/selling items. Numerous categories of cyber incidents, such as phishing, mail spamming, or distributing malicious software, also involve domain names. Domain blacklists (DBLs) aim to collect these malicious domains and store them in a list to lower the number of victims of cyber-crime. However, currently, there are many different sources that publish blacklisted domain names, also with different blacklisting methodologies. In this study, the DBLs used were accessible for free in the Internet, meaning that everybody can access the blacklisted domain names without any charge. This research was aimed to provide a complete characterization of thirteen different publicly available DBLs, in terms of how well they document and maintain their database. This study is one of the first project that completely characterize multiple public DBLs. Similar previous studies have been conducted under different scenarios, one of them was related with only mail-spamming activities. Nevertheless, some of the approaches introduced could still be applied to achieve the main goal of this research, which is to understand the maintenance and the documentation of public DBLs. This research shows that there is no perfect DBL. One of the metrics defined later in this report indicates that all public DBLs used in this research have false positives (blacklisted benign domains). In addition, not all of the blacklisted domain names were active during the blacklist time. The reported malicious domain names might have been removed already. Another interesting result is that, DBL that publish a large number of domain names per day might not explain how the domain names got blacklisted or publish the details of the blacklisted domain names. One additional metric to investigate how well public DBLs were maintained is liveliness. This estimates the ratio of active machines from the published blacklists from each DBLs. Unfortunately, this metric needs special considerations and attentions to be implemented. Firstly, the application is required to be efficient because of the massive number of blacklisted domain names per day. In addition, touching at lots of malicious machines could raise some problems, such as ethical and security concerns.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page