An Efficient Multi-Stage Approach for Identifying Domain Shadowing

Domain shadowing is the introduction of an illegitimate subdomain under a preexisting legitimate domain. Attackers benefit not only from the inconspicuous nature of these subdomains, but also from the trust associated with the legitimate domain. Classifiers have been used to identify shadowed domains within the DNS namespace; however, most approaches rely on features created from a variety of sources, such as DNS data, Javascript inspection, and HTTP source. Unfortunately, the generation of these features is often highly time-consuming and the features themselves are not always effective in distinguishing current shadowing approaches.This paper introduces a new domain shadowing detection approach that leverages machine learning techniques (classifiers) distributed across multiple stages. Domain names are processed by later stages only if earlier stage findings are inconclusive; therefore, only domain names that require additional scrutiny undergo supplementary processing. Furthermore, features that can be quickly synthesized are located in earlier stages to further reduce detection time. Experimental results using the multi-stage detection system with data from recent domain shadowing campaigns results in 97.7% accuracy and 0.04% false positive rate, with an average classification time of 0.83 seconds per name.