Web securityDetecting malicious Web sites before they do harm

Malicious Web sites promoting scams, distributing malware, and collecting phished credentials pervade the Web. As quickly as we block or blacklist them, criminals set up new domain names to support their activities. Now a research team including Princeton University computer science professor Nick Feamster and recently graduated Ph.D. student Shuang Hao has developed a technique to make it more difficult to register new domains for nefarious purposes.

Princeton University says that in a paper presented 27 October at the 23rd ACM Conference on Computer and Communications Security, the researchers describe a system called PREDATOR that distinguishes between legitimate and malicious purchasers of new Web sites. In doing so, the system yields important insights into how those two groups behave differently online even before the malicious users have done anything obviously bad or harmful. These early signs of likely evil-doers help security professionals take preemptive measures, instead of waiting for a security threat to surface. 

“The intuition has always been that the way that malicious actors use online resources somehow differs fundamentally from the way legitimate actors use them,” Feamster explained. “We were looking for those signals: what is it about a domain name that makes it automatically identifiable as a bad domain name?”

Feamster, the acting director of Princeton’s Center for Information Technology Policy, will be participating in the upcoming fourth Princeton-Fung Global Forum, which is focused on cybersecurity. The event will be held 20-21 March 2017 in Berlin. 

Once a Web site begins to be used for malicious purposes — when it is linked to in spam e-mail campaigns, for instance, or when it installs malicious code on visitors’ machines — then defenders can flag it as bad and start blocking it. But by then, the site has already been used for the very kinds of behavior that we want to prevent. PREDATOR, which stands for Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration, gets ahead of the curve.