A group of scientists at the Hamad bin Khalifa University’s Qatar Computing Research Institute (QCRI) has invented a new tool to identify unknown malicious domains by using a real-life “guilt-by-association” principle.

Malicious domains are involved in many cyber security attacks including Distributed Denial of Service (DDoS) attacks, in which web servers are attacked and become unusable. They are also a source of phishing, whereby criminals dupe email users to disclose information by posing as reputable entities; and are used to control botnets, when armies of infected machines without their owners’ knowledge can propagate malware and send spam messages.

The researchers, led by Issa Khalil and Ting Yu, have developed a prototype that can detect malicious domains by analysing the movements and previous associations of a domain address.

Khalil said the tool, dubbed Guilt by Association Inference of Malicious Domains (GAIMD), used data from public Domain Name Service (DNS) records and other interested parties to provide high-quality intelligence of potentially malicious domains.

Khalil said:

One would consider an unknown person suspicious if he mostly hangs around with known criminals and trustworthy if he hangs around with known good people.’

‘Similarly, in the context of malicious domains, hanging around can be interpreted in different ways including moving from one web-hosting provider to another in flocks, being hosted on similar IPs, accessed by similar set of clients, or having similar registration records, among other behaviours.’

An example used by the researchers in developing the tool was a tendency by owners of malicious domains to “run”, changing the hosting of their domains from one service provider to another to avoid being detected and blocked.

The research findings are to appear in the ACM AsiaCCS conference to be held in June. More information can be found at https://www.researchgate.net/publication/296678352_Discovering_Malicious_Domains_through_Passive_DNS_Data_Graph_Analysis.

For more information, please visit qcri.qa.