DOCSLIB.ORG

Early Detection of Spam-Related Activity

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Early Detection of Spam-Related Activity EARLY DETECTION OF SPAM-RELATED ACTIVITY A Thesis Presented to The Academic Faculty by Shuang Hao In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Computer Science Georgia Institute of Technology December 2014 Copyright c 2014 by Shuang Hao EARLY DETECTION OF SPAM-RELATED ACTIVITY Approved by: Professor Nick Feamster, Advisor Professor Mostafa Ammar School of Computer Science School of Computer Science Georgia Institute of Technology Georgia Institute of Technology Professor Vern Paxson Dr. Christian Kreibich Department of Electrical Engineering Senior Research Scientist and Computer Sciences International Computer Science Institute University of California, Berkeley & In- & Lastline, Inc. ternational Computer Science Institute Professor Wenke Lee Date Approved: 22 October 2014 School of Computer Science Georgia Institute of Technology To my dear family, Thank you for all of your love, support and encouragements. iii ACKNOWLEDGEMENTS This thesis would not have been completed without the invaluable support, guidance, and inspiration I have received from many people during my Ph.D. study. My sincere gratitude goes to my advisor, Prof. Nick Feamster, for his caring guidance and consistent support. He led me on this exciting and fruitful journey, encouraged me to explore research topics, and provided me with both insightful advice and intellectual help. His boundless enthusiasm always inspires my passion for our work. He taught me indispens- able research skills including picking problems, crafting solutions, presenting to audiences, and cultivating research taste. I feel extremely fortunate to have had the opportunity to work with him closely for many years. The example he set up as a wonderful researcher and teacher will continue to light my way in my future career. I am deeply grateful to Prof. Vern Paxson for mentoring me during my summer in- ternships at ICSI. His valuable knowledge and constructive suggestions helped me to better address the research problems, and guided me to learn to think more critically and creatively as a scientist. The detailed suggestions and comments that he gave on earlier versions of this dissertation greatly helped me to improve my work. I would like to thank the members of my committee, Prof. Wenke Lee, Prof. Mostafa Ammar, and Dr. Christian Kreibich, for their interest and help in my work. Prof. Wenke Lee has offered insightful suggestions through my study at Georgia Tech. Prof. Mostafa Ammar gave thought-provoking feedback on my thesis. Dr. Christian Kreibich helped me to understand the details of spam campaigns, and provided great advice during my internships at ICSI. I also wish to express my gratitude to all coauthors and collaborators for their support and assitance, which makes the research much stronger and solid. I have also been very fortunate to be a member of an excellent networking research group at Georgia Tech. I wish to thank Anirudh Ramachandran, Mukarram bin Tariq, Murtaza Motiwala, Valas Valancius, Sam Burnett, Srikanth Sundaresan, Robert Lychev, Hyojoon iv Kim, Yogesh Mundada, Bilal Anwer, Maria Konte, Ben Jones, Sean Donovan, Sarthak Grover, and Mi Seon Park for their valuable discussions and feedback on the research, and thank Cong Shi, Samantha Lo, Nan Hua, Tongqing Qiu, Partha Kanuparthy, and Ahmed Mansy for getting the lab life enjoyable and enriching. Their friendship and company has made my years at Georgia Tech full of wonderful memories. I dedicate this dissertation to my family. My parents, my brother Yang, and my grand- parents have always been supportive, loving, and encouraging. I am deeply indebted to them. v TABLE OF CONTENTS DEDICATION ...................................... iii ACKNOWLEDGEMENTS .............................. iv LIST OF TABLES ................................... x LIST OF FIGURES .................................. xi SUMMARY ........................................ xiii I INTRODUCTION ................................. 1 1.1 Spam: A Widespread Security Threat . .1 1.2 Detecting Spam-Related Activity: Why Is It Hard? . .4 1.3 Approach Overview . .5 1.4 Contributions . .6 1.5 Lessons Learned . .9 1.6 Bibliographic Notes . 10 II BACKGROUND AND RELATED WORK ................. 11 2.1 The Evolution and Components of Spam . 11 2.2 Detection Methods . 13 2.2.1 Content-based Detection . 13 2.2.2 Sender-based Detection . 14 2.2.3 DNS-based Detection . 14 2.2.4 Web-based Detection . 16 2.2.5 Other Mitigation Methods and Effort . 16 III SNARE: FILTERING SPAM WITH NETWORK-LEVEL FEATURES 18 3.1 Introduction . 18 3.2 Background . 21 3.2.1 Email Sender Reputation Systems . 21 3.2.2 Data and Deployment Scenario . 22 3.2.3 Supervised Learning: RuleFit . 24 3.3 Network-level Features . 26 3.3.1 Single-Packet Features . 27 vi 3.3.2 Single-Header and Single-Message Features . 33 3.3.3 Aggregate Features . 35 3.4 Evaluating the Reputation Engine . 36 3.4.1 Setup . 36 3.4.2 Accuracy of Reputation Engine . 38 3.4.3 Other Considerations . 40 3.5 A Spam-Filtering System . 44 3.5.1 System Overview . 44 3.5.2 Evaluation . 46 3.6 Discussion and Limitations . 48 3.6.1 Evasion-Resistance and Robustness . 48 3.6.2 Other Limitations . 50 3.7 Summary . 51 IV MONITORING THE INITIAL DNS LOOKUPS AND HOSTING OF SPAMMER DOMAINS ............................. 52 4.1 Introduction . 52 4.2 Context and Data Collection . 54 4.2.1 DNS Resource Records and Lookups . 54 4.2.2 Data Collection . 55 4.3 Registration & Resource Records . 57 4.3.1 Time Between Registration and Attack . 57 4.3.2 Location of DNS Infrastructure . 58 4.4 Early Lookup Behavior . 62 4.4.1 Network-Wide Patterns . 63 4.4.2 Evolution of Lookup Traffic . 64 4.5 Summary . 65 V UNDERSTANDING THE DOMAIN REGISTRATION BEHAVIOR OF SPAMMERS .................................... 67 5.1 Introduction . 67 5.2 Background: DNS Registration Process and Life Cycle . 69 5.3 Data Collection . 71 vii 5.4 Longevity of Spammer Domains . 73 5.4.1 Age of Domains Used for Spamming . 73 5.4.2 Duration-of-Use in Spam Campaigns . 74 5.4.3 Lifetime of Recently Registered Domains . 75 5.5 Spam Domain Infrastructure . 77 5.5.1 Registrars Used for Spammer Domains . 77 5.5.2 Authoritative Nameservers . 79 5.6 Detecting Registration Spikes . 82 5.6.1 Bulk Registrations by Spammers . 82 5.6.2 Detecting Abnormal Registration Batches . 84 5.6.3 Refining Threshold Probabilities . 88 5.7 Domain Registration Patterns . 89 5.7.1 Domain Categories . 90 5.7.2 Prevalence of Registration Patterns . 90 5.7.3 Retread Registration Patterns . 92 5.7.4 Naming Patterns for Brand-New Domains . 94 5.8 Summary . 95 VI PREDATOR: PROACTIVE DETECTION OF SPAMMER DOMAINS AT TIME-OF-REGISTRATION ........................ 97 6.1 Introduction . 97 6.2 Architecture . 99 6.2.1 Design Goals . 99 6.2.2 Operation . 100 6.3 Feature Extraction . 101 6.3.1 Case Study of Spammer Domain Registrations . 101 6.3.2 Domain Profile Features . 104 6.3.3 Life Cycle Features . 108 6.3.4 Batch Correlation Features . 109 6.4 Classifier Design . 111 6.4.1 Supervised Learning: CPM . 111 6.4.2 Building Detection Models . 112 viii 6.4.3 Assessing Feature Importance . 113 6.5 Evaluation . 114 6.5.1 Data Set and Labels . 114 6.5.2 Detection Accuracy . 115 6.5.3 Comparison to Existing Blacklists . 119 6.5.4 Feature Ranking . 124 6.6 Discussion . 125 6.6.1 Actionable Policies . 125 6.6.2 Evasion Resistance . 126 6.7 Summary . 127 VII CONCLUDING REMARKS .......................... 128 7.1 Summary of Contributions . 128 7.2 Future Work . 130 REFERENCES ..................................... 132 ix LIST OF TABLES 1 Description of data used from the McAfee dataset. 22 2 SNARE performance using RuleFit....................... 37 3 Ranking of feature importance in SNARE.................... 41 4 Mutual information among features in SNARE................. 42 5 DNZA format examples. 55 6 Top three ASes containing domains' records. 61 7 Five largest clusters based on lookup networks. 63 8 Summary of data feeds in the domain registration analysis. 71 9 Monthly data statistics of .com domain registrations. 71 10 The 10 registrars with the greatest number of spammer domains. 77 11 Top nameservers hosting spammer domains. 81 12 Epoch examples from registrar Moniker. 103 13 Domain examples from registrar Moniker. 104 14 Summary of.
Load more

Recommended publications
  • Search Engine Optimization: a Survey of Current Best Practices
    Grand Valley State University ScholarWorks@GVSU Technical Library School of Computing and Information Systems 2013 Search Engine Optimization: A Survey of Current Best Practices Niko Solihin Grand Valley Follow this and additional works at: https://scholarworks.gvsu.edu/cistechlib ScholarWorks Citation Solihin, Niko, "Search Engine Optimization: A Survey of Current Best Practices" (2013). Technical Library. 151. https://scholarworks.gvsu.edu/cistechlib/151 This Project is brought to you for free and open access by the School of Computing and Information Systems at ScholarWorks@GVSU. It has been accepted for inclusion in Technical Library by an authorized administrator of ScholarWorks@GVSU. For more information, please contact [email protected]. Search Engine Optimization: A Survey of Current Best Practices By Niko Solihin A project submitted in partial fulfillment of the requirements for the degree of Master of Science in Computer Information Systems at Grand Valley State University April, 2013 _______________________________________________________________________________ Your Professor Date Search Engine Optimization: A Survey of Current Best Practices Niko Solihin Grand Valley State University Grand Rapids, MI, USA [email protected] ABSTRACT 2. Build and maintain an index of sites’ keywords and With the rapid growth of information on the web, search links (indexing) engines have become the starting point of most web-related 3. Present search results based on reputation and rele- tasks. In order to reach more viewers, a website must im- vance to users’ keyword combinations (searching) prove its organic ranking in search engines. This paper intro- duces the concept of search engine optimization (SEO) and The primary goal is to e↵ectively present high-quality, pre- provides an architectural overview of the predominant search cise search results while efficiently handling a potentially engine, Google.
    [Show full text]
  • Click Trajectories: End-To-End Analysis of the Spam Value Chain
    Click Trajectories: End-to-End Analysis of the Spam Value Chain ∗ ∗ ∗ ∗ z y Kirill Levchenko Andreas Pitsillidis Neha Chachra Brandon Enright Mark´ Felegyh´ azi´ Chris Grier ∗ ∗ † ∗ ∗ Tristan Halvorson Chris Kanich Christian Kreibich He Liu Damon McCoy † † ∗ ∗ Nicholas Weaver Vern Paxson Geoffrey M. Voelker Stefan Savage ∗ y Department of Computer Science and Engineering Computer Science Division University of California, San Diego University of California, Berkeley z International Computer Science Institute Laboratory of Cryptography and System Security (CrySyS) Berkeley, CA Budapest University of Technology and Economics Abstract—Spam-based advertising is a business. While it it is these very relationships that capture the structural has engendered both widespread antipathy and a multi-billion dependencies—and hence the potential weaknesses—within dollar anti-spam industry, it continues to exist because it fuels a the spam ecosystem’s business processes. Indeed, each profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam distinct path through this chain—registrar, name server, interventions focus on only one facet of the overall spam value hosting, affiliate program, payment processing, fulfillment— chain (e.g., spam filtering, URL blacklisting, site takedown). directly reflects an “entrepreneurial activity” by which the In this paper we present a holistic analysis that quantifies perpetrators muster capital investments and business rela- the full set of resources employed to monetize spam email— tionships to create value. Today we lack insight into even including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, the most basic characteristics of this activity. How many broad crawling of naming and hosting infrastructures, and organizations are complicit in the spam ecosystem? Which over 100 purchases from spam-advertised sites.
    [Show full text]
  • Prospects, Leads, and Subscribers
    PAGE 2 YOU SHOULD READ THIS eBOOK IF: You are looking for ideas on finding leads. Spider Trainers can help You are looking for ideas on converting leads to Marketing automation has been shown to increase subscribers. qualified leads for businesses by as much as 451%. As You want to improve your deliverability. experts in drip and nurture marketing, Spider Trainers You want to better maintain your lists. is chosen by companies to amplify lead and demand generation while setting standards for design, You want to minimize your list attrition. development, and deployment. Our publications are designed to help you get started, and while we may be guilty of giving too much information, we know that the empowered and informed client is the successful client. We hope this white paper does that for you. We look forward to learning more about your needs. Please contact us at 651 702 3793 or [email protected] . ©2013 SPIDER TRAINERS PAGE 3 TAble Of cOnTenTS HOW TO cAPTure SubScriberS ...............................2 HOW TO uSe PAiD PrOGrAMS TO GAin Tipping point ..................................................................2 SubScriberS ...........................................................29 create e mail lists ...........................................................3 buy lists .........................................................................29 Pop-up forms .........................................................4 rent lists ........................................................................31 negative consent
    [Show full text]
  • Fully Automatic Link Spam Detection∗ Work in Progress
    SpamRank – Fully Automatic Link Spam Detection∗ Work in progress András A. Benczúr1,2 Károly Csalogány1,2 Tamás Sarlós1,2 Máté Uher1 1 Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI) 11 Lagymanyosi u., H–1111 Budapest, Hungary 2 Eötvös University, Budapest {benczur, cskaresz, stamas, umate}@ilab.sztaki.hu www.ilab.sztaki.hu/websearch Abstract Spammers intend to increase the PageRank of certain spam pages by creating a large number of links pointing to them. We propose a novel method based on the concept of personalized PageRank that detects pages with an undeserved high PageRank value without the need of any kind of white or blacklists or other means of human intervention. We assume that spammed pages have a biased distribution of pages that contribute to the undeserved high PageRank value. We define SpamRank by penalizing pages that originate a suspicious PageRank share and personalizing PageRank on the penalties. Our method is tested on a 31 M page crawl of the .de domain with a manually classified 1000-page stratified random sample with bias towards large PageRank values. 1 Introduction Identifying and preventing spam was cited as one of the top challenges in web search engines in a 2002 paper [24]. Amit Singhal, principal scientist of Google Inc. estimated that the search engine spam industry had a revenue potential of $4.5 billion in year 2004 if they had been able to completely fool all search engines on all commercially viable queries [36]. Due to the large and ever increasing financial gains resulting from high search engine ratings, it is no wonder that a significant amount of human and machine resources are devoted to artificially inflating the rankings of certain web pages.
    [Show full text]
  • Clique-Attacks Detection in Web Search Engine for Spamdexing Using K-Clique Percolation Technique
    International Journal of Machine Learning and Computing, Vol. 2, No. 5, October 2012 Clique-Attacks Detection in Web Search Engine for Spamdexing using K-Clique Percolation Technique S. K. Jayanthi and S. Sasikala, Member, IACSIT Clique cluster groups the set of nodes that are completely Abstract—Search engines make the information retrieval connected to each other. Specifically if connections are added task easier for the users. Highly ranking position in the search between objects in the order of their distance from one engine query results brings great benefits for websites. Some another a cluster if formed when the objects forms a clique. If website owners interpret the link architecture to improve ranks. a web site is considered as a clique, then incoming and To handle the search engine spam problems, especially link farm spam, clique identification in the network structure would outgoing links analysis reveals the cliques existence in web. help a lot. This paper proposes a novel strategy to detect the It means strong interconnection between few websites with spam based on K-Clique Percolation method. Data collected mutual link interchange. It improves all websites rank, which from website and classified with NaiveBayes Classification participates in the clique cluster. In Fig. 2 one particular case algorithm. The suspicious spam sites are analyzed for of link spam, link farm spam is portrayed. That figure points clique-attacks. Observations and findings were given regarding one particular node (website) is pointed by so many nodes the spam. Performance of the system seems to be good in terms of accuracy. (websites), this structure gives higher rank for that website as per the PageRank algorithm.
    [Show full text]
  • Passive Monitoring of DNS Anomalies Bojan Zdrnja1, Nevil Brownlee1, and Duane Wessels2
    Passive Monitoring of DNS Anomalies Bojan Zdrnja1, Nevil Brownlee1, and Duane Wessels2 1 University of Auckland, New Zealand, b.zdrnja,nevil @auckland.ac.nz { } 2 The Measurement Factory, Inc., [email protected] Abstract. We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect un- usual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam. 1 Introduction The Domain Name System (DNS) service is critical for the normal functioning of almost all Internet services. Although the Internet Protocol (IP) does not need DNS for operation, users need to distinguish machines by their names so the DNS protocol is needed to resolve names to IP addresses (and vice versa). The main requirements on the DNS are scalability and availability. The DNS name space is divided into multiple zones, which are a “variable depth tree” [1]. This way, a particular DNS server is authoritative only for its (own) zone, and each organization is given a specific zone in the DNS hierarchy. A complete domain name for a node is called a Fully Qualified Domain Name (FQDN). An FQDN defines a complete path for a domain name starting on the leaf (the host name) all the way to the root of the tree. Each node in the tree has its label that defines the zone.
    [Show full text]
  • Sidekick Suspicious Domain Classification in the .Nl Zone
    Master Thesis as part of the major in Security & Privacy at the EIT Digital Master School SIDekICk SuspIcious DomaIn Classification in the .nl Zone delivered by Moritz C. M¨uller [email protected] at the University of Twente 2015-07-31 Supervisors: Andreas Peter (University of Twente) Maarten Wullink (SIDN) Abstract The Domain Name System (DNS) plays a central role in the Internet. It allows the translation of human-readable domain names to (alpha-) numeric IP addresses in a fast and reliable manner. However, domain names not only allow Internet users to access benign services on the Internet but are used by hackers and other criminals as well, for example to host phishing campaigns, to distribute malware, and to coordinate botnets. Registry operators, which are managing top-level domains (TLD) like .com, .net or .nl, disapprove theses kinds of usage of their domain names because they could harm the reputation of their zone and would consequen- tially lead to loss of income and an insecure Internet as a whole. Up to today, only little research has been conducted with the intention to fight malicious domains from the view of a TLD registry. This master thesis focuses on the detection of malicious domain names for the .nl country code TLD. Therefore, we analyse the characteristics of known malicious .nl domains which have been used for phishing and by botnets. We confirm findings from previous research in .com and .net and evaluate novel characteristics including query patterns for domains in quar- antine and recursive resolver relations. Based on this analysis, we have developed a prototype of a detection system called SIDekICk.
    [Show full text]
  • Proactive Cyberfraud Detection Through Infrastructure Analysis
    PROACTIVE CYBERFRAUD DETECTION THROUGH INFRASTRUCTURE ANALYSIS Andrew J. Kalafut Submitted to the faculty of the Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in Computer Science Indiana University July 2010 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements of the degree of Doctor of Philosophy. Doctoral Minaxi Gupta, Ph.D. Committee (Principal Advisor) Steven Myers, Ph.D. Randall Bramley, Ph.D. July 19, 2010 Raquel Hill, Ph.D. ii Copyright c 2010 Andrew J. Kalafut ALL RIGHTS RESERVED iii To my family iv Acknowledgements I would first like to thank my advisor, Minaxi Gupta. Minaxi’s feedback on my research and writing have invariably resulted in improvements. Minaxi has always been supportive, encouraged me to do the best I possibly could, and has provided me many valuable opportunities to gain experience in areas of academic life beyond simply doing research. I would also like to thank the rest of my committee members, Raquel Hill, Steve Myers, and Randall Bramley, for their comments and advice on my research and writing, especially during my dissertation proposal. Much of the work in this dissertation could not have been done without the help of Rob Henderson and the rest of the systems staff. Rob has provided valuable data, and assisted in several other ways which have ensured my experiments have run as smoothly as possible. Several members of the departmental staff have been very helpful in many ways. Specifically, I would like to thank Debbie Canada, Sherry Kay, Ann Oxby, and Lucy Battersby.
    [Show full text]
  • I Wish to Thank the United States Department of Commerce's
    Comments from Danny Younger Introduction: I wish to thank the United States Department of Commerce’s National Telecommunications and Information Administration for this opportunity to comment on the continuation of the transition of the technical coordination and management of the Internet’s domain name and addressing system to the private sector. As a member of the public that has had the honor of serving as an elected Chair of the General Assembly of the Domain Name Supporting Organization of the Internet Corporation for Assigned Names and Numbers, I sincerely appreciate your posting of a Notice of Inquiry and wish to share with you my thoughts on the transition process as an individual that has tracked ICANN-related matters on a regular basis for the last six years. It has been said that “ICANN may not be the world’s most unpopular organization, but if it had consciously set out to make itself loathed it could hardly have been more successful.”1 I share that assessment. ICANN, the organization selected to embody the principles set forth in the White Paper2 is almost universally reviled. From my vantage point as a long-time ICANN participant, I have come to conclude that this passionate loathing has a single root cause: we detest ICANN because it has not remained true to the White Paper’s noble vision – rather than striving to become an organization committed to private, bottom-up coordination operating for the benefit of the Internet community as a whole, ICANN has chosen instead to focus its attention exclusively upon that select stakeholder community that feeds its coffers – it has become primarily a registry-registrar Guild Manager.
    [Show full text]
  • Understanding and Combating Link Farming in the Twitter Social Network
    Understanding and Combating Link Farming in the Twitter Social Network Saptarshi Ghosh Bimal Viswanath Farshad Kooti IIT Kharagpur, India MPI-SWS, Germany MPI-SWS, Germany Naveen K. Sharma Gautam Korlam Fabricio Benevenuto IIT Kharagpur, India IIT Kharagpur, India UFOP, Brazil Niloy Ganguly Krishna P. Gummadi IIT Kharagpur, India MPI-SWS, Germany ABSTRACT Web, such as current events, news stories, and people’s opin- Recently, Twitter has emerged as a popular platform for ion about them. Traditional media, celebrities, and mar- discovering real-time information on the Web, such as news keters are increasingly using Twitter to directly reach au- stories and people’s reaction to them. Like the Web, Twitter diences in the millions. Furthermore, millions of individual has become a target for link farming, where users, especially users are sharing the information they discover over Twit- spammers, try to acquire large numbers of follower links in ter, making it an important source of breaking news during the social network. Acquiring followers not only increases emergencies like revolutions and disasters [17, 23]. Recent the size of a user’s direct audience, but also contributes to estimates suggest that 200 million active Twitter users post the perceived influence of the user, which in turn impacts 150 million tweets (messages) containing more than 23 mil- the ranking of the user’s tweets by search engines. lion URLs (links to web pages) daily [3,28]. In this paper, we first investigate link farming in the Twit- As the information shared over Twitter grows rapidly, ter network and then explore mechanisms to discourage the search is increasingly being used to find interesting trending activity.
    [Show full text]
  • Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness
    ISSN 1330-3651 (Print), ISSN 1848-6339 (Online) https://doi.org/10.17559/TV-20161012115204 Original scientific paper Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness Davor CAFUTA, Vlado SRUK, Ivica DODIG Abstract: Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS. Keywords: Botnet; fast-flux; IDS 1 INTRODUCTION locations DoS attack against the web site becomes very difficult as it must be effective on every server in the field The Domain Name System (DNS) is a hierarchical [7, 8].
    [Show full text]
  • Outcomes Report of the GNSO Ad Hoc Group on Domain Tasting
    GNSO Outcomes Report on Domain Tasting Doc. No.: Date: 2007/02/04 4 October, 2007 OUTCOMES REPORT OF THE GNSO AD HOC GROUP ON DOMAIN NAME TASTING 4 October 2007 Group Chair: Mike Rodenbaugh ICANN Staff: Olof Nordling, Patrick Jones STATUS OF THIS DOCUMENT This is the final version of the Outcomes Report from the GNSO ad hoc group on Domain Name Tasting, submitted to the GNSO Council on 4 October, 2007. GNSO Outcomes Report on Domain Tasting v1.6 Authors: Mike Rodenbaugh, [email protected] , Olof Nordling, [email protected] , Patrick Jones, [email protected], Page 1 of 144 GNSO Outcomes Report on Domain Tasting Doc. No.: Date: 2007/02/04 4 October, 2007 TABLE OF CONTENTS 1 EXECUTIVE SUMMARY 3 2 OBJECTIVE 5 3 BACKGROUND 7 4 OUTCOMES 10 5 NEXT STEPS 32 ANNEX 1 - SUBSCRIBERS TO THE DT LIST 33 ANNEX 2 - RFI RESPONSES 34 ANNEX 3 - EXPERIENCES FROM CCTLDS 97 ANNEX 4 - COMMENTS FROM UDRP PROVIDERS 104 ANNEX 5 – IPC CONSTITUENCY SUPPLEMENTAL RFI116 ANNEX 6 – REQUEST TO VERISIGN 144 GNSO Outcomes Report on Domain Tasting v1.6 Authors: Mike Rodenbaugh, [email protected] , Olof Nordling, [email protected] , Patrick Jones, [email protected], Page 2 of 144 GNSO Outcomes Report on Domain Tasting Doc. No.: Date: 2007/02/04 4 October, 2007 1 Executive summary 1.1 Background Following a request from the At-Large Advisory Committee in spring 2007, the GNSO Council called for an Issues Report on Domain Tasting from ICANN Staff in May 2007. This Issues Report, available at http://gnso.icann.org/issues/domain- tasting/gnso-domain-tasting-report-14jun07.pdf was discussed at the ICANN San Juan meeting, where the GNSO Council on 27 June 2007 (minutes at http://gnso.icann.org/meetings/minutes-gnso-27jun07.shtml) resolved to establish an ad hoc group for further fact-finding on the practice of domain tasting.
    [Show full text]