ICANNWiki

Inferential Analysis of Maliciously Registered Domains

Revision as of 19:26, 11 June 2024 by Christiane (talk | contribs) (Added content)

INFERMAL (Inferential Analysis of Maliciously Registered Domains) is a research project being carried out by KOR Labs and funded by ICANN. [1] The project aims to systematically analyze the preferences of cyberattackers and possible measures to mitigate malicious activities across top-level domains (TLDs). [2] This project is funded as a part of ICANN's Domain Name System (DNS) Security Threat Mitigation Program, which strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet. It is supervised by ICANN's Office of the Chief Technology Officer Security, Stability, and Resiliency team. [3]

INFERMAL was created to expand knowledge in an area in which, for years, there has been anecdotal evidence: the suggestion that cybercriminals tend to exploit TLDs and registrars with low domain name registration prices. However, this hypothesis lacked concrete evidence and a systematic analysis of attackers' preferences. Each malicious actor may have their own criteria, with one favoring lower registration prices while another may target registrars with specific payment methods or free APIs for bulk domain registration.

Methodology

In this study, a comprehensive list of registration features and policies relevant to attackers is proposed for collection and analysis. These are categorized into three groups: registration features (e.g., access to the registration panel via API, ability to register in bulk, payment methods such as credit card, Bitcoin, or WebMoney, and retail pricing), proactive security (e.g., verification of contact information provided by the registrant), and reactive security (response to domain name abuse notifications).

Several registration features offered by several dozen domain registrars are being collected, such as retail pricing (including promotions), available payment methods, and additional free features such as DNS service, email forwarding, number of email accounts, or TLS certificates. Most of the registration information is collected daily. Each maliciously registered domain will be associated with the registration features at the time of domain registration. Other properties that do not change often (e.g., access to the registration panel via API, ability to register in bulk, etc.) are collected manually or semi-manually.

Proactive security features require empirical verification. For example, sample domain names with random characters, containing special keywords, or misspelled versions of brand names will be registered. To measure reactive security, a set of experiments will be designed and evaluated to observe how registrars react to notifications of abusive domain names, i.e., whether they suspend domains promptly. It is suspected that uptimes (i.e., time between the notification and takedown) might be one of the factors that malicious actors consider when selecting a registrar and TLD to abuse.

In previous work, the relationship between a limited number of security indicators and the structural properties of TLDs, and abuse at the level of gTLDs was analyzed, whereas the here-proposed approach will allow a fine-grained analysis at the domain name level.

First, URLs blacklisted by reputable organizations such as the Anti-Phishing Working Group (APWG) are collected. This study focuses on domains that were maliciously registered rather than hacked websites. Then, the registration policies of the registrars (i.e., registration features, proactive and reactive security policies) at the time the malicious domain name was registered are assembled. The set of registration features preferred by attackers are systematically distilled using generalized linear models (GLMs) to assess their importance.

Project Timeline

The project was designed in three phases:

Phase 1: Mapping abusive domains to registration policies

By the end of November 2023, for chosen domain abuse blacklists such as APWG, malicious domains were extracted and mapped to their corresponding registration information at the time of their registration.

Phase 2: Analysis of proactive and reactive security measures

By July 2024, the analysis of preselected proactive security measures will be performed, including domain registrant data validation, strategies for blocking domain names containing, for example, keywords of the most abused services, and other proactive security measures. A study of uptimes will also be summarized.

Phase 3: Fine-grained inferential analysis of maliciously registered domains

Finally, by September 2024, a final report will be published, in the form of a research paper providing a fine-grained inferential analysis of maliciously registered domains using GLM modeling to determine driving factors of domain abuse. The project will also propose best practices to effectively mitigate abuse. https://korlabs.io/blog/infermal-investigating-cyber-attackers-preferences.html

INFERMAL partners

Dr. Maciej Korczyński, co-founder of KOR Labs, will serve as the scientific consultant of the INFERMAL project. Dr. Samaneh Tajalizadehkhoob, Director of Security, Stability and Resiliency Research (SSR), is the scientific contact point of the INFERMAL project from ICANN Org side.

References

  1. https://infermal.korlabs.io/
  2. https://korlabs.io/blog/infermal-investigating-cyber-attackers-preferences.html
  3. https://korlabs.io/blog/new-icann-project-infermal.html
Retrieved from "https://icannwiki.org/index.php?title=Inferential_Analysis_of_Maliciously_Registered_Domains&oldid=1350954"