DNS enhancement catches malware sites by understanding sneaky domain names

[SweX 871]

A researcher at OpenDNS Security Labs has developed a new way to automatically detect and block sites used to distribute malware almost instantaneously without having to scan them. The approach, initially developed by researcher Jeremiah O'Connor, uses natural language processing and other analytics to detect malicious domains before they can attack by spotting host names that are designed as camouflage. Called NLPRank, it spots DNS requests for sites that have names similar to legitimate sites, but with IP addresses that are outside the expected address blocks and other related data that hints at sketchiness.

 

O'Connor's approach, which is currently being tested by OpenDNS using live DNS query traffic, gets around the reputation problem by simply analyzing the domain name itself for sketchiness. It works in a way similar to natural language processing of any stream of text content. Using patterns spotted in malicious DNS traffic, OpenDNS security researchers are training the NLPRank system to identify domain names that look similar to legitimate sites but have attributes that flag them as being suspicious.

 

Hay said that OpenDNS is currently fine-tuning the system to prevent false positives, but that so far NLPRank has held up well in testing. "We have used it to detect malicious phishing campaigns," he said. "And we've been able to use it to validate data in other security firms' reports, giving us additional reinforcement that it's working."

 

hxxp://arstechnica.com/security/2015/03/system-catches-malware-sites-by-understanding-sneaky-domain-names/