About the Project
INFERMAL (Inferential Analysis of Maliciously Registered Domains) is a research project being carried out by KOR Labs and funded by ICANN. The goal of this project is to conduct an in-depth analysis of maliciously registered domain names, aiming to uncover cyber attackers' preferences and possible measures to mitigate abusive activities within the domain name space.
Domain Name Abuse
Domain names serve as convenient shorthands for IP addresses, enabling easy navigation of the numerous online services we use daily. While most domain name registrations are harmless, cybercriminals frequently register new domains to launch large-scale attacks, such as phishing, malware drive-by-download, or spam campaigns. These malicious activities pose significant threats to Internet users and the security of the online ecosystem.
Understanding Attackers' Preferences
For years, there has been anecdotal evidence suggesting that cybercriminals tend to exploit top-level domains (TLDs) and registrars with low domain name registration prices. However, this hypothesis lacked concrete evidence and a systematic analysis of attackers' preferences. Each malicious actor may have their own criteria, with one favoring lower registration prices while another may target registrars with specific payment methods or free APIs for bulk domain registration.
Exploring Factors Driving Abuse
The issue of factors influencing malicious domain registrations is of significant importance, particularly in light of the new generic Top-Level Domain (gTLD) program initiated by the Internet Corporation for Assigned Names and Numbers (ICANN). Since its launch in October 2013, hundreds of new gTLDs have been incorporated into the domain name system (DNS).
Certain gTLDs compete by offering exceptionally low registration prices, occasionally even below US $1. This presents a critical challenge: finding ways for TLD registries and registrars to attract legitimate users while simultaneously implementing robust measures to deter malicious use. Addressing this challenge requires systematically exploring strategies that strike a balance, encouraging legitimate registrations while maintaining barriers against abuse. By understanding the motivations behind malicious registrations and the factors driving them, TLD registries and registrars may develop effective approaches to safeguard the integrity of the domain name system and protect users from cyber threats
Our Approach
Our approach involves collecting URLs blocklisted by reputable organizations and focusing on maliciously registered domain names, rather than hacked websites. We gather registration data and compile registration policies, including pricing, API access to the registration panel, bulk registration options, and payment methods (e.g., credit card or cryptocurrencies) used during domain registration. Through systematic analysis using Generalized Linear Models (GLMs), we extract the set of registration features favored by attackers and assess their significance in identifying malicious domains.
Research Objectives
- Collect and analyze blocklisted URLs focusing on maliciously registered domains
- Compile comprehensive data on registration policies, pricing, and payment methods
- Conduct systematic analysis using Generalized Linear Models (GLMs)
Expected Outcomes
- Uncover cyber attackers' preferences in domain registration
- Develop strategies to balance legitimate use and abuse prevention
- Provide evidence-based insights for TLD registries and registrars
Partners
Prof. Maciej Korczyński
Co-founder at KOR Labs
Prof. Maciej Korczyński is a scientific consultant of the INFERMAL project and a co-founder of KOR Labs - university spin-off dedicated to combating cyber threats, helping the Internet community collectively increase barriers to abuse. He is an Full Professor of Computer Networks and Cybersecurity at the Grenoble Institute of Technology in France. His main interests revolve around large-scale passive and active measurements and analysis of cybersecurity, with a focus on the DNS. Since 2015, he has co-authored over 30 scientific articles about domain name and DNS infrastructure abuse, DNS vulnerabilities, security metrics, Internet Protocol address spoofing, distributed denial-of-service attacks, botnets, and vulnerability notifications.
Dr. Samaneh Tajalizadehkhoob
Director of Security, Stability and Resiliency Research at ICANN
Dr. Samaneh Tajalizadehkhoob is a scientific contact point of the INFERMAL project from ICANN Org side. Samaneh is a Director of Security, Stability and Resiliency Research (SSR) within ICANN's Office of Chief Technology Officer (OCTO). The SSR research team leads work on topics related to DNS security measuremnets, DNS vulnerabilities and DNS abuse, among others. This project is funded as a part of ICANN's Domain Name System (DNS) Security Threat Mitigation Program, which strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet.
Latest news
Join the ICANN's webinar on INFERMAL
KOR Labs will present key findings from the INFERMAL project during a two-hour ICANN webinar on February 19 at 15:00 UTC. Led by Prof. Maciej Korczyński (KOR Labs) and coordinated by Dr. Samaneh Tajalizadehkhoob (ICANN), the session will include a presentation followed by an interactive Q&A session. The webinar presents a valuable opportunity for stakeholders to gain insights into the complexities of malicious activities within the registration landscape.
Registration details are provided here.
INFERMAL project wraps up: final report now available
We are excited to announce the publication of the final report, marking the successful completion of our two-year research initiative. The document synthesizes our methodology, key findings, and recommendations, contributing to the broader understanding of DNS abuse.
The full report is now available for download here. We invite the community to explore our findings and engage with this important research. We would like to thank everyone who contributed to this project and look forward to continuing discussions about DNS abuse mitigation.
Meet us at ICANN81 during the DNS Abuse Updates session
KOR Labs is pleased to announce its participation in the upcoming DNS Abuse Updates session at ICANN81 (10:15 UTC, 13 November 2024). As our INFERMAL project has just been completed, we will present the key findings and insights to the community. Prof. Maciej Korczyński (KOR Labs) will join Dr. Samaneh Tajalizadehkhoob (ICANN OCTO-SSR) to share the project's outcomes during this session.
Analyzing Features of Malicious Domain Registrations
As we work towards understanding the preferences of cyberattackers, our analysis focuses on three categories of features: registration attributes (including domain pricing, payment methods, API access, and free services), proactive verification (such as registrant information validation and registration restrictions), and reactive security practices (malicious domain uptimes).
Read more about the feature selection in our blog.
INFERMAL project update and timeline
The INFERMAL research project will unfold in three phases. In Phase 1 (November 2023), researchers will map abusive domains from blocklists to their registration information. Phase 2 (July 2024) will analyze proactive security measures, including how registrars validate user data and respond to abuse notifications. The final phase (September 2024) will culminate in a research paper using generalized linear modeling to identify key factors driving domain abuse and propose recommendations for mitigation.
More about our next steps in this blog.
New ICANN project explores the drivers of malicious domain name registrations
The INFERMAL project aims to systematically analyze the preferences of cyberattackers when registering domains for malicious activities. Led by Dr. Maciej Korczyński, the research team will study factors like pricing, payment methods, and registration restrictions to identify patterns in attackers' behaviour. The findings will help registrars and registries develop better anti-abuse practices and ultimately create a more secure namespace for all.
Read more in our blog.
KOR Labs and ICANN kick off the INFERMAL project
Documents
Final Report
Contact Us
Have a question about the INFERMAL project? Feel free to reach out to us below.
Prof. Maciej Korczyński
KOR Labs
Dr. Samaneh Tajalizadehkhoob
ICANN