P remadoma

DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious activities on the Internet. In this article, we design and evaluate P remadoma , a solution for DNS registries to predict malicious intent well before a domain name becomes operational. In contrast to blacklists, which only offer protection after some harm has already been done, this system can prevent domain names from being used before they can pose any threats. We advance the state of the art by leveraging recent insights into the ecosystem of malicious domain registrations, focusing explicitly on facilitators employed for bulk registration and similarity patterns in registrant information. We thoroughly evaluate the proposed prediction model’s performance and adaptability on an 11-month testing set and address complex and domain-specific dataset challenges. Moreover, we have successfully deployed P remadoma in the operational environment of the .eu ccTLD registry, resulting in a decline of malicious registrations. Finally, we have identified and quantified three possible evasion patterns and have observed changes in the malicious registration ecosystem since P remadoma has been operationalized.