Detection of malicious and abusive domain names

The Domain Name System (DNS) is a critical component of the Internet, and as such it is widely relied upon by a large part of the world. Consequently, it can be abused for multiple purposes, with financial gain being perhaps the most obvious, and important. An important countermeasure to such criminal and malicious activity is to identify involved domains, in order to blacklist or otherwise disable them. In this paper we provide the results of studying existing work on detecting malicious domains and analyse the findings. We identify an approach which is promising but has received surprisingly little attention; Pre-registration detection. We identify the following gaps between the problem of domain abuse, and the described state-of-the-art: Existing work on Pre-registration is strictly focused on a single form of abuse, spam, hence it must be explored if Pre-registration detection can be applied to other forms of abuse as well. Existing work, on both Pre-and Post-registration detection, is focused on a few Top-Level domains (TLDs) and Registries, prompting for studies with other TLDs and Registries. There is relevant information, including Registrant-based features, that has not yet been used for Pre-registration detection - which also calls for investigation. Finally, a study of a real-world deployment of Pre-registration detection at a Registry has not yet been presented, despite the potential of the approach. We contribute with an analysis of existing work, by identifying the state-of-the-art, and by identifying important areas of future work.