SIDEKICKSuspicious Domain Classification

Master Thesisat SIDN

by Moritz Mueller

2015-08-14 2

Agenda

● Misuse of Domain Names

● Malicious domains in .nl

● Malicious Domain Characteristics

● What does SIDEKICK do?

● Outlook

Misuse of Domain Names

2015-08-14 4

Redirection, Exploitation, Infection

redirect 3

redirect 2init.nl

redirect 121

infection.nl

3

Exploit Kit Infection Chain

2015-08-14 5

Command and Control

C&C Address Resolution and Communication

2015-08-14 6

Motivation for SIDN

TRUST

REPUTATION

OVERAL INTERNET SECURITY

2015-08-14 7

Phishing

Age of .nl phishing domains

one week or younger

between one week and one year

one year or older

1.923 domains

2015-08-14 8

Botnets

Known Botnet Domains

Sinkhole

Quarantainenet

Other Sources

82 domains

2015-08-14 9

Malicious Domain Characteristics

2015-08-14 10

Geographic Characteristics

95,5 % Dutch registrants

88,5 % Dutch content

2015-08-14 11

Query Origin

US NL RU DE CN GB FR BE BR CA TW IT PL IE JP ES CZ IN HK UA AU FI TR0%

5%

10%

15%

20%

25%

30%

Benign .nl Domains

2015-08-14 12

Query Origin

US NL RU DE CN GB FR BE BR CA TW IT PL IE JP ES CZ IN HK UA AU FI TR0%

5%

10%

15%

20%

25%

30%

Andromeda DomainsBenign .nl Domains

2015-08-14 13

Query Frequency

2015-05-01 2015-05-310

100000

200000

300000

400000

Date

Qu

eri

es

Popular .nl domains

2015-08-14 14

Query Frequency

Date

Qu

eri

es

Flashback-Botnet domains

0

500

1000

1500

2000

2014-11-20 2014-12-19

2015-08-14 15

2015-05-01 2015-05-310

100

200

300

Query FrequencyQ

ueri

es

Unpopular .nl domains

Date

2015-08-14 16

Query FrequencyQ

ueri

es

0

100

200

Day

New benign domains

2015-08-14 17

Query FrequencyQ

ueri

es

0

100

200

Day

New phishing domainsNew benign domains

2015-08-14 18

MedianMean

In Quarantine Free0

10

20

30

Domains in QuarantineQ

ueri

es

2015-08-14 19

Catching Bad Domains With SIDEKICK sksk

2015-08-14 20

General Approach

xyz.nl 789.nl

opq.nl

Geo Peak Growth

123.nl ijk.nl

abc.nl

Geo Peak Growth ukn.nl

?

Training Classification

Good1 2 4

3

2015-08-14 21

General Approach

xyz.nl 789.nl

opq.nl

Geo Peak Growth

123.nl ijk.nl

abc.nl

Geo Peak Growth ukn.nl

?

Training Classification

Good1 2 4

3

2015-08-14 22

SIDEKICK ArchitectureNew Domains

● 61.000 Domains classified

● 33 Malicious domains detected

● False Positive Rate 0,3 %

More domains detected than by

professional Phishing Feed

2015-08-14 23

SIDEKICK ArchitectureOld Domains

● 1,7 Million Domains Classified

● 14.000 Malicious domains detected

Can't verify suspicious domains

2015-08-14 24

Next Steps

2015-08-14 25

Improvements

● Early Detection

● Additional Features

● Non-DNS-related sources (Social Media,

Search Engines, CMS and Webserver)

● EDNS Client Subnet Extension

● Resolver Reputation

2015-08-14 26

Outlook

● Post Detection

– Block Content

● Google Safe Browsing, Netcraft

– Notify (Registrant, Registrar, Web-Hosting-Firm)

● Post Suspicion

– Cooperation

2015-08-14 27

SIDEKICK

Thank You For Your Attention

● Based on geographic

location and query

patterns

● Effective detection of

new domains

● Detection of suspicious

compromised domains sk