Domain names are the signposts for users to meaningfully navigate on the Internet, but unfortunately they sometimes also direct to websites where phishing content is hosted or on which visitors are infected with malware.
Detection of phishing domains with DNS traffic analysis
From February to July last year, I had the opportunity to write my Master’s thesis at SIDN Labs. I developed a tool called SIDEKICK that is able to detect newly registered domain names that are potentially being used for such kind of malicious activities.
For this work, I had the honor to receive the Internet Thesis Award 2015 in the category Internet and Technology from the Royal Holland Society of Sciences and Humanities (KHMW) in Haarlem last week.
In this blog post, I want to give a quick introduction to my work and share some impressions of the award ceremony.
SIDEKICK’s Approach
At SIDN Labs, we run a platform called ENTRADA, which we use to store every DNS query from two of our name servers. This allows us to analyze the number of DNS queries, their origin, and many other characteristics for every .nl domain name. ENTRADA comes with a Privacy Framework that allows us to process this data in a privacy friendly manner.
In my master’s project, I used a set of domain names that are “good” (domains that are known not to be used for malicious activities) and domains names that are “bad” (domain names, known for being used in phishing campaigns and botnet command and control). Both data sets showed distinct patterns in our DNS traffic. For example, we often observed a rapid increase in requests for bad domains from one day to another. Also, bad domain names frequently received many requests from countries like India or China, which is unusual for .nl domain names.
My tool SIDEKICK consists of a trained machine-learning algorithm that uses the characteristics described above to decide whether a domain name is good or bad. SIDEKICK has a high accuracy detecting bad domain names that are newly registered and at SIDN: the false positive rate was 0,3 %. We used insights gained in SIDEKICK to actively detect newly registered domain names and to build the NDEWS system.
Detecting hacked domain names is a bigger challenge. At SIDN, we are continuously looking for new ways to find these domain names as well in order to increase the security of the .nl zone further.
More details on SIDEKICK can be found in one of my previous blog-posts.
Award Ceremony
The Internet Thesis Award is awarded by the Royal Holland Society of Sciences and Humanities (Dutch: Koninklijke Hollandsche Maatschappij der Wetenschappen). It has four categories: Internet & Economy, Internet & Law, Internet & Society, and Internet & Technology. I won in the category Internet & Technology.
The ceremony took place in the palatial Hodshon House in Haarlem. Prince Constantijn van Oranje attended it among others. The chairman of KHMW, Prof. Alexander Rinnooy Kan, presided the ceremony. He also had an interesting “fire side chat” about innovation and the role of Europe in the Internet economy and society with Prince Constantijn van Oranje.
The awarded students came from four different Dutch universities and presented diverse work in the realm of the Internet.
Katharina Schmitz (Maastricht University) received the award in the category Internet & Economy. She analyzed different designs of online pension planners in order to encourage people to proactively take private future financial precautions. In her research, she discovered that people have very individual preferences for the design of such pension planners, which need to be taken into account if a government wants to increase the adoption of private financial precautions. In my opinion, this observation is not only true for pension planning, but needs to be considered by governments in general when interacting with their citizens on the Internet – especially in more and more heterogeneous societies.
Sam van Velze (University of Amsterdam) received the award in the category Internet & Law. Her thesis was about the complicated and controversial role of hyperlinks in copyright law. During the award ceremony, she presented these issues based on the “Britt Dekker” case (a Dutch celebrity) and proposed new criterions that might eliminate some of the juridical ambiguities of hyperlinks. This presentation introduced a complex topic to the audience in a comprehensible manner, which brought Sam the audience award. Congratulations!
The third price in the category Internet & Society was awarded to Loes Derks van de Ven (Radboud Universiteit Nijmegen) for her analysis of the privacy movement, which emerged especially after the Snowden Revelations. She discussed topics like the composition of privacy movements and how they organize protests online and offline. Her research gives great new insights in these activist movements and might help to spur successful privacy movements outside of “privacy movement hotspots” like Berlin.
Other honorable mentions and links to every thesis can be found on the website of the KHMW.
My thesis was awarded in the category Internet & Technology, introduced by Prof. Dr. Bart Jacobs of the Radboud University Nijmegen and was sponsored by Greenhost. Thank you Mr. Jacobs for your kind words, thank you Greenhost for supporting this award. I had an interesting day in Haarlem and encourage every student to submit their Master’s theses next year as well!
