Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DomainDynamics: Lifecycle-Aware Risk Timeline Construction for Domain Names

Daiki Chiba, Hiroki Nakano, Takashi Koide

TL;DR

DomainDynamics addresses the flaw of static, history-driven malicious-domain detection by introducing a lifecycle-aware framework that builds a Domain Timeline from WHOIS, SOA, and TLS data, extracts temporal features, and outputs a continuous risk timeline. It trains a binary classifier (with XGBoost yielding the best results) using time-point labels defined by whether an attack occurs within a horizon $N$ days, and explains predictions via SHAP. In evaluations across over 85,000 malicious domains, it achieves a pre-attack detection rate of $82.58\%$ with a false positive rate of $0.41\%$ at $N=7$ days, outperforming baselines. Real-world deployment demonstrates scalable, real-time risk assessment on passive DNS and new registrations, with verification through VirusTotal, DGAs, and phishing-site checks, underscoring practical impact for SOCs/CSIRTs. Overall, the lifecycle-aware risk timeline approach provides actionable, explainable predictions that improve proactive cybersecurity and reduce false positives and negatives.

Abstract

The persistent threat posed by malicious domain names in cyber-attacks underscores the urgent need for effective detection mechanisms. Traditional machine learning methods, while capable of identifying such domains, often suffer from high false positive and false negative rates due to their extensive reliance on historical data. Conventional approaches often overlook the dynamic nature of domain names, the purposes and ownership of which may evolve, potentially rendering risk assessments outdated or irrelevant. To address these shortcomings, we introduce DomainDynamics, a novel system designed to predict domain name risks by considering their lifecycle stages. DomainDynamics constructs a timeline for each domain, evaluating the characteristics of each domain at various points in time to make informed, temporal risk determinations. In an evaluation experiment involving over 85,000 actual malicious domains from malware and phishing incidents, DomainDynamics demonstrated a significant improvement in detection rates, achieving an 82.58\% detection rate with a low false positive rate of 0.41\%. This performance surpasses that of previous studies and commercial services, improving detection capability substantially.

DomainDynamics: Lifecycle-Aware Risk Timeline Construction for Domain Names

TL;DR

DomainDynamics addresses the flaw of static, history-driven malicious-domain detection by introducing a lifecycle-aware framework that builds a Domain Timeline from WHOIS, SOA, and TLS data, extracts temporal features, and outputs a continuous risk timeline. It trains a binary classifier (with XGBoost yielding the best results) using time-point labels defined by whether an attack occurs within a horizon days, and explains predictions via SHAP. In evaluations across over 85,000 malicious domains, it achieves a pre-attack detection rate of with a false positive rate of at days, outperforming baselines. Real-world deployment demonstrates scalable, real-time risk assessment on passive DNS and new registrations, with verification through VirusTotal, DGAs, and phishing-site checks, underscoring practical impact for SOCs/CSIRTs. Overall, the lifecycle-aware risk timeline approach provides actionable, explainable predictions that improve proactive cybersecurity and reduce false positives and negatives.

Abstract

The persistent threat posed by malicious domain names in cyber-attacks underscores the urgent need for effective detection mechanisms. Traditional machine learning methods, while capable of identifying such domains, often suffer from high false positive and false negative rates due to their extensive reliance on historical data. Conventional approaches often overlook the dynamic nature of domain names, the purposes and ownership of which may evolve, potentially rendering risk assessments outdated or irrelevant. To address these shortcomings, we introduce DomainDynamics, a novel system designed to predict domain name risks by considering their lifecycle stages. DomainDynamics constructs a timeline for each domain, evaluating the characteristics of each domain at various points in time to make informed, temporal risk determinations. In an evaluation experiment involving over 85,000 actual malicious domains from malware and phishing incidents, DomainDynamics demonstrated a significant improvement in detection rates, achieving an 82.58\% detection rate with a low false positive rate of 0.41\%. This performance surpasses that of previous studies and commercial services, improving detection capability substantially.
Paper Structure (25 sections, 2 figures, 5 tables)

This paper contains 25 sections, 2 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Detecting Malicious Domains
  4. Motivating Examples
  5. Proposed System: DomainDynamics
  6. Goal and Scope
  7. System Overview
  8. ❶ Building Domain Timeline
  9. ❷ Extracting Features
  10. ① WHOIS Records
  11. ② SOA Records
  12. ③ TLS Certificates
  13. ❸ Labeling
  14. ❹ Training ML Model
  15. ❺ Predicting Risks
  16. ...and 10 more sections

Figures (2)

  • Figure 1: DomainDynamics system overview.
  • Figure 2: Domain Timeline (top) and Risk Timeline (bottom).