Master Thesis as part of the major in Security & Privacy at the EIT Digital Master School SIDekICk SuspIcious DomaIn Classification

The Domain Name System (DNS) plays a central role in the Internet. It allows the translation of human-readable domain names to (alpha-) numeric IP addresses in a fast and reliable manner. However, domain names not only allow Internet users to access benign services on the Internet but are used by hackers and other criminals as well, for example to host phishing campaigns, to distribute malware, and to coordinate botnets. Registry operators, which are managing top-level domains (TLD) like .com, .net or .nl, disapprove theses kinds of usage of their domain names because they could harm the reputation of their zone and would consequentially lead to loss of income and an insecure Internet as a whole. Up to today, only little research has been conducted with the intention to fight malicious domains from the view of a TLD registry. This master thesis focuses on the detection of malicious domain names for the .nl country code TLD. Therefore, we analyse the characteristics of known malicious .nl domains which have been used for phishing and by botnets. We confirm findings from previous research in .com and .net and evaluate novel characteristics including query patterns for domains in quarantine and recursive resolver relations. Based on this analysis, we have developed a prototype of a detection system called SIDekICk. It is able to detect newly registered phishing domains and other online scams as soon as they propagate through the Internet with a false positive rate of 0,3 percent. It relies solely on features that can be collected from the vantage point of any TLD registry like DNS query patterns, geographic features of querying resolvers, and domain registration information. A second component of SIDekICk reports suspicious domain names that were formerly used for benign purposes but might have been compromised to become part of a malware infection chain or a phishing campaign. This component demonstrates that DNS traffic analysis has the potential to detect compromised domains as well and in this thesis, we suggest additional features to improve the detection rate.