• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.2
• /
• pp.405-413
• /
• 2016

In this paper, we propose a proactive inference method of finding suspicious domains. Our method detects potential malicious domains from the seed domain information extracted from the TLD Zone files and WHOIS information. The inference process follows the three steps: searching the candidate domains, machine learning, and generating a suspicious domain pool. In the first step, we search the TLD Zone files and build a candidate domain set which has the same name server information with the seed domain. The next step clusters the candidate domains by the similarity of the WHOIS information. The final step in the inference process finds the seed domain's cluster, and make the cluster as a suspicious domain set. In experiments, we used .COM and .NET TLD Zone files, and tested 10 seed domains selected by our analysts. The experimental results show that our proposed method finds 55 suspicious domains and 52 true positives. F1 scores 0.91, and precision is 0.95 We hope our proposal will contribute to the further proactive malicious domain blacklisting research.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2007.11a
• /
• pp.1111-1114
• /
• 2007

해들 거듭하면서 피싱 사이트의 수는 지속적으로 증가하고 이로 인한 피해가 끊임없이 보고 되고 있는 가운데, 보안업체들은 블랙리스트 데이터베이스를 이용한 피싱 방지 브라우저 플러그인을 제안, 공급하고 있다. 한편, 2007 년 APWG 에 의한 보고에 따르면 피싱 사이트의 평균 수명은 짧게는 몇 시간에서 길게는 30 일 이내로 평균 3.8 일 밖에 되지 않는 것으로 보고 되었다. 이는 블랙리스트 데이터베이스를 이용하는 기존 안티피싱 플러그인이 신규 피싱 사이트에 대해서는 대처 할 수 없는 한계를 가지고 있음을 의미한다. 피싱 사이트의 라이프사이클을 가만하여 실시간 사이트의 진위 여부를 판단하고, 사용자 정보 유출을 방지하는 것이 시급함에도 불구하고 지금까지의 안티피싱 플러그인은 실시간 사이트 진위 여부를 판단할 수 없어 신규 피싱 사이트에 대처하지 못하고 있다. 이에 본 논문은 Whois 와 DNS 정보를 활용하여 실시간 사이트의 진위여부를 판단하는 개선된 안티피싱 기법(RealURL)을 제안한다. 또한 제안하는 기법은 사용자의 적극적인 개입을 유도하는 브라우저 플러그인으로 구현 되었다. RealURL 은 기존 블랙리스트를 데이터베이스를 이용한 방법을 탈피하여 사이트의 진위여부를 실시간 판단하는 새로운 방법으로 사용될 수 있다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.11
• /
• pp.5580-5593
• /
• 2019

A malicious Uniform Resource Locator (URL) recognition and detection method based on the combination of Attention mechanism with Convolutional Neural Network and Long Short-Term Memory Network (Attention-Based CNN-LSTM), is proposed. Firstly, the WHOIS check method is used to extract and filter features, including the URL texture information, the URL string statistical information of attributes and the WHOIS information, and the features are subsequently encoded and pre-processed followed by inputting them to the constructed Convolutional Neural Network (CNN) convolution layer to extract local features. Secondly, in accordance with the weights from the Attention mechanism, the generated local features are input into the Long-Short Term Memory (LSTM) model, and subsequently pooled to calculate the global features of the URLs. Finally, the URLs are detected and classified by the SoftMax function using global features. The results demonstrate that compared with the existing methods, the Attention-based CNN-LSTM mechanism has higher accuracy for malicious URL detection.

• Journal of the Korea Society of Computer and Information
• /
• v.13 no.1
• /
• pp.143-151
• /
• 2008

Execute IP traceback at this paper as target an intruder's attacking that Bypass Attack in order to avoid an exposure of own Real IP address Design IP traceback server and agent module, and install in Internet network system for Real IP traceback. Set up detection and chase range aggressive loop around connection arbitrariness, and attack in practice, and generate Real IP data cut off by fatal attacks after data and intrusion detection accessed general IP, and store to DB. Generate the Forensic data which Real IP confirms substance by Whois service, and ensured integrity and the reliability that buy to early legal proof data, and was devoted to of an invader Present the cyber criminal preventive effect that is dysfunction of Ubiquitous Information Society and an effective Real IP traceback system, and ensure a Forensic data generation basis regarding a judge's robe penalty through this paper study.

• Journal of Arbitration Studies
• /
• v.21 no.2
• /
• pp.113-131
• /
• 2011

Recently, the Internet Corporation for Assigned Names and Numbers (ICANN) announced the expansion of the number of generic top-level domains (gTLDs) beyond the current 22 gTLDs, and the gTLD Applicant Guidebook for ICANN's new gTLD program is now under consideration for approval. ICANN also introduces a "Trademark Clearinghouse" and the "Uniform Rapid Suspension (URS)" procedure to protect trademarks and expedite dispute resolution and save costs. The Trademark Clearinghouse is a central repository for information to be authenticated, stored and disseminated, pertaining to the rights of the trademark holders. Trademark holders would voluntarily provide data of their trademarks from all over the world, and it would assist a trademark watch service provided by the new gTLD registry for trademark holders and potential domain name registrants. The URS is a part of the new gTLD dispute resolution mechanisms created by ICANN to resolve cybersquatting disputes. A complainant in a URS proceeding must establish three elements that are very similar to the existing UDRP to succeed, but supposedly more expedited and cost efficient. Since the URS provides that it only protects court validated and registered trademarks, it is not clear whether unregistered marks used in commerce are protected under the URS. The URS escalates the complainant's burden of proof from a preponderance of evidence standard under the UDRP to a clear and convincing evidence standard. The notices to a respondent shall be sufficient if the URS Provider sends the notice of Complaint to the addresses listed in the Whois contact information. As registrants who wish to conceal their true identity often subscribe to the privacy/proxy service and the complainant's high rate of success in the UDRP proceeding is relevant to the respondents' default rate, the URS's simple notice requirement would deprive respondents of a fair opportunity to assert their rights over the disputed domain names.

• Journal of Convergence for Information Technology
• /
• v.11 no.5
• /
• pp.30-37
• /
• 2021

Various devices are connected to the Internet, and attacks using the Internet are occurring. Among such attacks, there are attacks that use malicious URLs to make users access to wrong phishing sites or distribute malicious viruses. Therefore, how to detect such malicious URL attacks is one of the important security issues. Among recent deep learning technologies, neural networks are showing good performance in image recognition, speech recognition, and pattern recognition. This neural network can be applied to research that analyzes and detects patterns of malicious URL characteristics. In this paper, performance analysis according to various parameters was performed on a method of detecting malicious URLs using neural networks. In this paper, malicious URL detection performance was analyzed while changing the activation function, learning rate, and neural network structure. The experimental data was crawled by Alexa top 1 million and Whois to build the data, and the machine learning library used TensorFlow. As a result of the experiment, when the number of layers is 4, the learning rate is 0.005, and the number of nodes in each layer is 100, the accuracy of 97.8% and the f1 score of 92.94% are obtained.