Tool May Stop Hackers Before They Attack

     (CN) – Harmful websites designed to steal users’ personal information and execute other internet-based attacks may be in trouble, as a new technology promises to assist computer security professionals and companies deter such malicious activities.
     The new tool – called PREDATOR – distinguishes between legitimate and mischievous website purchasers, enabling the system to alert registrars before a hacker can launch an attack.
     “The intuition has always been that the way that malicious actors use online resources somehow differs fundamentally from the way legitimate actors use them,” study co-author Nick Feamster said. “We were looking for those signals: what is it about a domain name that makes it automatically identifiable as a bad domain name?”
     PREDATOR, an acronym for Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration, is able to use knowledge of how hackers purchase websites for phishing schemes and other attacks to forecast whether an individual wants a domain for good or malicious purposes.
     While stopping malicious websites currently requires computer security professionals or systems to react to reports of attacks or scans that unearth harmful code, this process uses common practices used by hackers against them.
     Since systems can flag or block internet attacks, hackers often purchase many domains at once to take advantage of bulk discounts and launch new campaigns as others get stopped. They also register multiple sites using slight variations on names, changing words like “school” and “schools” or changing word orders in phrases. In doing so, red flags are raised that alert PREDATOR to potentially malicious activity.
     The team used such patterns to analyze more than 80,000 new domains registered every day to preemptively identify which ones were most likely to be used for cyberattacks. Testing their results against known blacklisted websites, the researchers found that PREDATOR detected 70 percent of harmful websites based entirely on information known when the domains were first registered.
     The false positive rate of the tool — when PREDATOR mistakenly identifies a legitimate website as malicious — was only 0.35 percent.
     Identifying malicious websites during registration can help blacklist services block them sooner, greatly minimizing the damage they can produce or preventing them from posing any harm at all.
     “PREDATOR can achieve early detection, often days or weeks before existing blacklists, which generally cannot detect domain abuse until an attack is already underway,” the authors write in their paper. “The key advantage is to respond promptly for defense and limit the window during which miscreants might profitably use a domain.”
     The tool can also prevent attackers from registering additional websites at a given time. Such preemptive restraint is rare in the field of computer security, which often has to catch up to hackers.
     For PREDATOR to help everyday internet users, the technology must be used by existing domain blacklist services such as Spamhaus or by registrars like GoDaddy.com, which sell new domain names.
     “Part of what we envision is if a registrar is trying to make a decision about whether to register a domain name, then if PREDATOR suggests that domain name might be used for malicious ends, the registrar can at least wait and do more due diligence before it moves forward.
     “Prior to work like this I don’t think a registrar would have very easy go-to method for even figuring out if the domains they registered would turn out to be malicious,” Feamster said.

%d bloggers like this: