Detecting Malicious Domains Using Statistical Internationalized Domain Name Features in Top Level Domains

TL;DR

This paper presents a method for detecting malicious domains by analyzing statistical features of Internationalized Domain Names, achieving high accuracy with a Random Forest classifier.

Contribution

It introduces two new feature categories for Internationalized Domain Names and evaluates their effectiveness in malicious domain detection.

Findings

Random Forest classifier achieved 95.6% accuracy.

Internationalized Domain Name features improve detection performance.

The approach helps identify malicious websites more effectively.

Abstract

The Domain Name System (DNS) is a core Internet service that translates domain names into IP addresses. It is a distributed database and protocol with many known weaknesses that subject to countless attacks including spoofing attacks, botnets, and domain name registrations. Still, the debate between security and privacy is continuing, that is DNS over TLS or HTTP, and the lack of adoption of DNS security extensions, put users at risk. Consequently, the security of domain names and characterizing malicious websites is becoming a priority. This paper analyzes the difference between the malicious and the normal domain names and uses Python to extract various malicious DNS identifying characteristics. In addition, the paper contributes two categories of features that suppers Internationalized Domain Names and scans domain system using five tools to give it a rating. The overall accuracy of the Random Forest Classifier was 95.6%.