Detecting Malicious Domain Names with Abnormal WHOIS Records Using Feature-Based Rules

Yanan Cheng; Tingting Chai; Zhaoxin Zhang; Keyu Lu; Yuejin Du

doi:10.1093/comjnl/bxab062

Detecting Malicious Domain Names with Abnormal WHOIS Records Using Feature-Based Rules

Yanan Cheng
, Tingting Chai
, Zhaoxin Zhang^*
, Keyu Lu
, Yuejin Du

^*Corresponding author for this work

Faculty of Computing, Harbin Institute of Technology
Qihoo 360 Technology Co. Ltd

Research output: Contribution to journal › Article › peer-review

8 Scopus citations

Abstract

Millions of new domain names are registered every day, but a large proportion of them are malicious and usually discovered and blacklisted after the crime has been committed. In order to improve the security of domain name registration, this paper proposes a lightweight detection method based on the AdaBoost to identify malicious domain names, which focuses on proactively detecting malicious domain names by exploring the abnormal WHOIS records. The domain name registries and registrars can adopt the proposed method as the first layer of defense to identify malicious domains on the domain registration stage. Extensive experiments on a large-scale database demonstrate that the proposed approach achieves satisfactory results on various malicious domain names.

Original language	English
Pages (from-to)	2262-2275
Number of pages	14
Journal	Computer Journal
Volume	65
Issue number	9
DOIs	https://doi.org/10.1093/comjnl/bxab062
State	Published - 1 Sep 2022
Externally published	Yes

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 16 Peace, Justice and Strong Institutions

Keywords

AdaBoost
WHOIS records
malicious domain detection

Access to Document

10.1093/comjnl/bxab062

Cite this

@article{1a6466f7fabb4524bbe302fe59904942,

title = "Detecting Malicious Domain Names with Abnormal WHOIS Records Using Feature-Based Rules",

abstract = "Millions of new domain names are registered every day, but a large proportion of them are malicious and usually discovered and blacklisted after the crime has been committed. In order to improve the security of domain name registration, this paper proposes a lightweight detection method based on the AdaBoost to identify malicious domain names, which focuses on proactively detecting malicious domain names by exploring the abnormal WHOIS records. The domain name registries and registrars can adopt the proposed method as the first layer of defense to identify malicious domains on the domain registration stage. Extensive experiments on a large-scale database demonstrate that the proposed approach achieves satisfactory results on various malicious domain names.",

keywords = "AdaBoost, WHOIS records, malicious domain detection",

author = "Yanan Cheng and Tingting Chai and Zhaoxin Zhang and Keyu Lu and Yuejin Du",

note = "Publisher Copyright: {\textcopyright} 2021 The British Computer Society.",

year = "2022",

month = sep,

day = "1",

doi = "10.1093/comjnl/bxab062",

language = "英语",

volume = "65",

pages = "2262--2275",

journal = "Computer Journal",

issn = "0010-4620",

publisher = "Oxford University Press",

number = "9",

}

TY - JOUR

T1 - Detecting Malicious Domain Names with Abnormal WHOIS Records Using Feature-Based Rules

AU - Cheng, Yanan

AU - Chai, Tingting

AU - Zhang, Zhaoxin

AU - Lu, Keyu

AU - Du, Yuejin

PY - 2022/9/1

Y1 - 2022/9/1

N2 - Millions of new domain names are registered every day, but a large proportion of them are malicious and usually discovered and blacklisted after the crime has been committed. In order to improve the security of domain name registration, this paper proposes a lightweight detection method based on the AdaBoost to identify malicious domain names, which focuses on proactively detecting malicious domain names by exploring the abnormal WHOIS records. The domain name registries and registrars can adopt the proposed method as the first layer of defense to identify malicious domains on the domain registration stage. Extensive experiments on a large-scale database demonstrate that the proposed approach achieves satisfactory results on various malicious domain names.

AB - Millions of new domain names are registered every day, but a large proportion of them are malicious and usually discovered and blacklisted after the crime has been committed. In order to improve the security of domain name registration, this paper proposes a lightweight detection method based on the AdaBoost to identify malicious domain names, which focuses on proactively detecting malicious domain names by exploring the abnormal WHOIS records. The domain name registries and registrars can adopt the proposed method as the first layer of defense to identify malicious domains on the domain registration stage. Extensive experiments on a large-scale database demonstrate that the proposed approach achieves satisfactory results on various malicious domain names.

KW - AdaBoost

KW - WHOIS records

KW - malicious domain detection

UR - https://www.scopus.com/pages/publications/85156160188

U2 - 10.1093/comjnl/bxab062

DO - 10.1093/comjnl/bxab062

M3 - 文章

AN - SCOPUS:85156160188

SN - 0010-4620

VL - 65

SP - 2262

EP - 2275

JO - Computer Journal

JF - Computer Journal

IS - 9

ER -

Detecting Malicious Domain Names with Abnormal WHOIS Records Using Feature-Based Rules

Abstract

UN SDGs

Keywords

Access to Document

Other files and links

Fingerprint

Cite this