Enhancing filtering proactivity with reverse IP and reverse Whois queries presented at Virus Bulletin 2011

by Claudiu cristian Musat (Bitdefender),

URL : http://www.virusbtn.com/conference/vb2011/abstracts/MusatDamian.xml

Summary : The presented work outlines a system that employs reverse IP and reverse Whois queries to proactively detect malicious
domains in an industrial manner.
The main advantage and also main novelty of the technique is that it is able to block spam, fraud and malware even for the
recipients of the first instances of an outbreak. Most threat detection techniques are only mildly proactive in a sense
that their detection is based on previous malicious activity, which means some users will have been affected by the
wrongdoing prior to the threat being identified.
The aim of the presented filtering technique is to identify a new campaign at the first hints of future malicious activity
- the registration of the domain that will be used in said outbreak. The idea of using reverse IP queries is not new in
itself, however its usage alongside reverse Whois queries in an automated process is. We prove that host IPs and emails
used in the registration process are reused, and compute the ratio of threats that can be filtered in their incipient
phase. Our results also show a significant interconnection of various malicious domain types, which underlines the benefits
of an integrated protection system.