You are here :
-
Public Consultations
-
Reference
-
Statistics
-
Publications
-
Blog
- Brexit and .fr
- Analysis of the .RE
- Brands answer the call to the 2nd ‘Cercle des .marque’ event
- About the attack on French ISPs’ DNS resolvers
- Using Afnic open data : example with the term COVID
- Hosting a domain name with compound characters
- Eligibility of a holder located in the United Kingdom post Brexit
- Can compound characters be used in a domain name?
- Functioning of Afnic during lockdown
- Which Top Level Domains have an IP address?
- Lala Andriamampianina, may you rest in peace
- Resolutions for 2020: Afnic goes elliptic
- 6 tips to prevent your website from being hacked
- In search of low-cost nTLDs
- Exploring the city through the .paris community
- .org - an alternative perspective
- Looking back on the success of the first meeting of the Cercle des .marque
- Key success factors for Internet extensions: an evaluation grid
- [Video] Conclusions on the Internet Governance Forum (IGF) France 2019
- A brief example of using Afnic Open Data
- Food for thought on the "new TLD" business models
- 30 years of success and danger: the Web, URLs and the future
- [Success stories] Strengthen your infrastructure to suit your ambitions
- February 1, 2019: is the DNS going to shake?
- [Success stories] They chose to have their own TLD
- [Success stories] .museum, how a historic Internet suffix was revived
- The main steps in effectively launching your .brand
- 6 secrets on how to improve the renewal of domain names
- [Video] Back to IGF 2018 in Paris
- A .BRAND to enhance customer experience
- Afnic commits to DNS security at the international level
- Replacement of the KSK of the root zone: Are you ready?
- How the SNCF implemented its new digital strategy with oui.sncf
- Franco-Dutch research project on automatic classification of domain name abuse
- The auditive memorization of domain names
- What are the possible actions against domain name abuses?
- Identity theft by domain name: what Afnic does
- Cybersquatting, Spam, Phishing… the different types of domain name abuses
- [Video] Review of the French Internet Governance Forum 2018
- Custom Internet extensions: the opportunities for brands
- How to avoid inadmissibility in the SYRELI procedure
- Which English terms are most used in .FR domain names?
- Domain name security, the example of cryptocurrencies
- What are the terms most used in .fr domain names?
- Personality test: Are you ready for GDPR?
- Do GeoTLDs like .alsace have an effect on local SEO?
- The 11 vital locations to display your domain name!
- What means of action for a Right-holder ineligible under the Naming Policy?
- Domain name litigation: the recognition of an AOC rights in the SYRELI procedure
- Why choose a domain name under a geoTLD?
- Afnic, a community first and foremost!
- The defense of personality rights in the SYRELI procedure
- When will the next round of the new gTLDs take place?
- A million good reasons for coming to the Afnic Forum...
- Yeti DNS-over-TLS public resolver
- 2016, the beginning of a new cycle for Afnic
- .fr has just passed the 3 million domain names milestone
- My experience inside the Afnic Legal Department
- Future of ICANN Privatization? Internationalization? Supervision?
- Excellence at Afnic - Our coming-out
- Speech at the transmittal of the IANA Stewardship Transition Plan
- Exclusive offer: 100% money back on your domain name*!
- 8 tips for choosing the right domain name
- IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges?
- L.45-2 paragraph 1 of the CPCE: When a domain name disrupts the French law
- How to avoid getting your domain name stolen by email?
- Accountability and IANA transition: behind the scenes
- Stop selling domain names!
- abc.xyz : erratum.xyz
- A comprehensive approach to French regional branding
- abc.xyz : Meanwhile, back in France…
- abc.xyz: Why not alphabet.com? (The conspiracy theory version)
- abc.xyz : The controversial success of .xyz
- Corporate Communications, Constant Crisis
- abc.xyz : Why not alphabet.com ?
- alphabet.xyz : How Alphabet got its domain name
- abc.xyz : Don't worry, we're still getting used to the name too!
- IANA transition crosses a major milestone in Buenos Aires
- A day in the life of the Icann empowered community
- IANA transition : the machine is moving, but the deadline is approaching
- Corporate Social Responsibility and the DNA of ccTLDs
- China Changing in Leaps and Bounds
- Towards a less intrusive DNS
- ICANN: what does accountability stand for?
- ICANN Singapore. A debate at the other end of the world
- ICANN Reform, or opening Pandora's box
- Internet Governance Forum: What is to be done?
- Slam spam!
- Icann : freeze !
- Scams and identity theft, the experience of a SYRELI reporter
- French Regional Reform Does Not Mean the End of GeoTLDs
- Lessons Learnt from NETmundial
- Suggestions for a successful IANA transition
- Wind of change at Afnic!
- Back to the future of the Afnic Legal Service
- The US Backs ICANN for Internet Governance
- Should the registrars streamline their gTLD strategy?
- The IANA elephant in the room
- 2014 : change of course for the naming system
- Why do regions want a place online?
- What can Afnic do?
- Internet governance: let’s get to work!
-
FAQ
-
Glossary
-
Certificates
Franco-Dutch research project on automatic classification of domain name abuse
2 October 2018 - By Benoit Ampeau
Cristian Hesselman (Manager SIDN Labs), Benoît Ampeau (Director Partnerships & Innovations, Afnic Labs) and Maciej Korczyński (Associate Professor)
SIDN Labs, Afnic Labs, and Grenoble Alps University started a new research project called “Classification of compromised versus maliciously registered domains” (COMAR) on 1 October 2018. The Franco-Dutch project will address the problem of automatically distinguishing between domain names registered by cybercriminals for the purpose of malicious activities, and domain names exploited through vulnerable web applications. The project is designed to help intermediaries such as registrars and ccTLD registries further optimize their anti-abuse processes.
Domain name abuse
Domain names are easy to use shorthands for IP addresses that help us navigate the many online services that we use in our daily lives. While the vast majority of domain name registration and use is benign, there are cybercriminals who unfortunately misuse them, for instance to launch large-scale phishing attacks, drive-by-downloads, and spam campaigns. Security organizations such as the Anti-Phishing Working Group (APWG) and Stop Badware collect information about these misused domain names and make it available to their customers (e.g., hosting providers and domain name registries) in the form of URL blacklists.
Compromised vs. maliciously registered
Both the operational and research communities distinguish two types of domain name abuse: legitimate domains that criminals have compromised and new domain names that have been specifically registered for malicious purposes. An example of a compromised domain name is studentflats.gr, which is a legitimate site that ran a Wordpress installation and that cybercriminals hacked to host a banking-related phishing site. This is visible in the blacklisted URL (http://studentflats.gr/wp-content/uploads/2016/.co.nz/login/personal-banking/login/auth_security.php), which has an illegally installed banking script (/uploads/…/auth_security.php) underneath the Wordpress directory (/wp-content). An example of a maliciously registered domain name is continue-details.com, which was used for a Paypal phishing site. This is visible in the blacklisted URL (http://paypal.com.login.continue-details.com/), which does not explicitly contain a malicious program such as a PHP script, but instead refers to a site specifically set up for the phish using a 5th level domain name (continue-details.com being the first and second levels and paypal.com.login. adding three more levels).
The distinction between these two groups is critical because they require different mitigation actions by different intermediaries. For example, hosting providers together with webmasters typically concentrate on cleaning up the content of compromised websites [3], whereas domain registries (e.g., SIDN and Afnic) and registrars tend to focus on handling malicious domain name registrations.
Blacklist-based classification
From an operational point of view, intermediaries typically use URL blacklists in their security systems to automatically block malicious content. However, a compromised domain name requires a more fine-grained level of mitigation. For example, if an intermediary simply blocks studentflats.gr, then it will also block the legitimate part of the site (the content the Wordpress installation is serving to visitors). So instead what is needed for a security engineer is to look at the site’s Wordpress installation and specifically (or automatically) remove the malicious PHP script from the hosting platform. This example illustrates that it is crucial to unambiguously label domains of blacklisted URLs as compromised or maliciously registered so they can be reliably used by security systems.
The ultimate goal of COMAR is to develop a machine learning-based classifier that labels blacklisted domains as compromised or maliciously registered, then extensively evaluate its accuracy, and implement it for a production-level environment. We also plan to study the attackers’ profit-maximizing behavior and their business models. We shall apply our classifier to unlabeled domain names of URL blacklists, for example, to answer the following question: do attackers prefer to register malicious domains, compromise vulnerable websites, or misuse domains of legitimate services such as cloud-based file-sharing services in their criminal activities?
Partner capabilities and interests
All three COMAR partners have extensive experience in the analysis of large heterogeneous datasets and in engineering the underlying platforms. Grenoble Alps University will concentrate on the statistical analysis of large-scale Internet measurement and incident data and publishing scientific papers, whereas both registry Labs will focus on advancing the COMAR classifier for operational environments (e.g., at SIDN and Afnic) and making it available to their stakeholders such as .nl and .fr registrars. The complementary approach of this partnership is in line with the need for registries to continuously reinforce their capacities and capabilities to increase the security levels of their Top-level Domains (TLDs) and ultimately provide enhanced levels of trust for end-users.
Sourena Maroofi, a Ph.D. student at Grenoble Alps University, will develop and evaluate the COMAR classifier under the supervision of Maciej Korczyński, COMAR’s Principal Investigator. COMAR, funded by SIDN and Afnic, will start in October 2018 and will last for three years. The steering committee of the project consists of Cristian Hesselman (SIDN Labs), Benoît Ampeau (Afnic Labs), and Maciej Korczyński (Drakkar team, Grenoble INP, Grenoble Alps University).
About COMAR partners
COMAR is a joint project of SIDN Labs, Afnic Labs, and Grenoble Alps University.
- SIDN Labs is the research team of SIDN, the registry of the .nl Top-Level Domain (TLD) in the Domain Name System (DNS). SIDN Labs’ goal is to increase the operational security and resilience of end-to-end Internet communications through world-class measurement-based research and technology development. Our research challenges include DNS and Internet security and resilience, and Internet evolution.
- Afnic Labs is a key team devoted to the development and future of the Internet at Afnic. Afnic manages the .fr and 5 others French overseas TLDs. Afnic is also the back-end registry for 14 companies and local and regional authorities that have chosen to have their own TLD suffix. Each day Afnic Labs initiates and contributes to projects in line with Afnic’s assignments: an Internet that is secure and stable, open to innovation and in which the French internet community plays a key role. Just as with other partnerships in which Afnic is involved, Afnic Labs believes in the added value of collaborative research work to ultimately provide a very high-valuable, mature, state-of-the-art classifier.
- Grenoble Alps University aims to establish a leading center in cybersecurity research in the Rhône-Alpes region in France with a particular focus on active and passive measurements for cybersecurity. The members of the Drakkar team have been involved in collaborative projects with law enforcement agencies, security and Internet policy organizations devoted to fighting cybercrime. Our focus is on the statistical analysis of large-scale Internet measurement and incident data to identify how cybercriminals [D1] misuse domain names and how providers of Internet services deal with security risks and incidents. The COMAR project is at the heart of these issues.
- Project website: www.comar-project.fr and www.comar-project.nl (available shortly).
Further reading
- "Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs", Maciej Korczynski, Maarten Wullink, Samaneh Tajalizadehkhoob, Giovane C.M. Moura, Arman Noroozian, Drew Bagley, Cristian Hesselman, in Proc. of ACM AsiaCCS, Korea, June 2018
- “Global Phishing Survey: Trends and Domain Name Use in 2016”, Greg Aaron and Rod Rasmussen”: Available at: http://docs.apwg.org/reports/APWG_Global_ Phishing_Report_2015-2016.pdf, 2017
- “Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting”, Samaneh Tajalizadehkhoob, Tom van Goethem, Maciej Korczyński, Arman Noroozian, Rainer Bohme, Tyler Moore, Wouter Joosen, Michel van Eeten, in Proc. of ACM CCS, October 2017
Is this domain
available ?
News
- February 12, 2021 Afnic sponsors the TV program Connecte Ta Boîte
- February 11, 2021 Improving young people's digital skills: Afnic and public service Pix take...
- January 27, 2021 The online presence of French VSEs/SMEs: 2019/2020 results of the Afnic “Réus...
- December 10, 2020 Three major projects on the roadmap of the Afnic International College
- November 23, 2020 Lucien Castex has been reappointed as a member of the Multistakeholder Advisory ...