University of Twente Student Theses

Login

Detecting Combosquat Domains using Active DNS Measurements : communication of incident severity between customers and analysts in a SOC

Jansen, Joost (2019) Detecting Combosquat Domains using Active DNS Measurements : communication of incident severity between customers and analysts in a SOC.

[img] PDF
4MB
Abstract:Domain squatting is a phenomena where attackers register domains that mimic popular domains and/or trademarks, in order to trick people into believing they are visiting a legitimate website. A distinct form of domain squatting is combosquatting; adding one or more words to an existing domain/trademark to craft a new domain. Think of http://utwente-login.nl as a combosquat domain for the original domain utwente.nl. A literature study revealed that a lot of research was performed in the field of malicious domain detection, however not specifically tackling the problem of combosquatting domains. Given this information, combined with the active DNS measurements available from the OpenINTEL project, a research was initiated that aimed at creating model to detect these combosquat domains. At first, it was investigated whether a generic detection model for combosquat domains existed. After a validation, implementation and evaluation phase involving a ground truth dataset of 10.548 labeled domains, it became clear that no generic fingerprint of combosquat domains could be created given the data that was available. This led to the conclusion that it is extremely difficult to construct a generic model for detecting combosquat domains without a predefined list of trademarks. The next part of the research focused on the lifecycle of combosquat domains, more specifically in which stages of the killchain they reside and which features could be used to determine when a combosquat domain turns into a malicious state. Finally, a model that was trained on the information from the sub-questions was designed and validated in a real-world context. The results showed that the detection of combosquat domains turning malicious based on active DNS measurements is not sufficient. Future work includes the use of additional data sources and a bigger responsibility for registrars.
Item Type:Essay (Master)
Clients:
Fox-IT, Delft, The Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:https://purl.utwente.nl/essays/79244
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page