EXPOSURE is a service that identifies domain names that are involved in malicious activity
by performing large-scale passive DNS analysis. EXPOSURE reports the malicious domain
names on a daily basis.
EXPOSURE has been developed as part of WOMBAT project.
The domain name service (DNS) plays an important role in the
operation of the Internet, providing a two-way mapping between
domain names and their numerical identifiers. Given its fundamental
role,
it is not surprising that a wide variety of malicious activities
involve the domain name service in one way or another. For example,
bots resolve DNS names to locate their command and control servers,
and spam mails contain URLs that link to domains that resolve to
scam servers. Thus, it seems beneficial to monitor the use of the
DNS system for signs that indicate that a certain name is used as
part of a malicious operation.
Our key insight is that as malicious services are often
as dependent on DNS services as benign services, being able to
identify malicious domains as soon as they appear would significantly
help mitigate many Internet threats that stem from botnets, phishing
sites, malware hosting services, and the like. Also, our premise is
that when looking at large volumes of data, DNS requests for benign
and malicious domains should exhibit enough differences in behavior
that they can automatically be distinguished.
Please refer to our paper here which has been accepted to appear in the 18th Annual Network & Distributed System Security Symposium (NDSS'11). For more information please visit http://www.isoc.org/isoc/conferences/ndss/11/.
There are several data sources that EXPOSURE utilizes to identify malicious networks including: SIE@ISC, Anubis, Wepawet
Data obtained through EXPOSURE may be freely used for non-commerical purposes.
Contact us at