Akamai Diversity

The Akamai Blog

Take a Bite out of Cybercrime by Analyzing New Core Domains

We just conducted our monthly Cyber Insider discussion, this time focusing on what deep analysis of new core domains reveals about new threats and zero-day malware. As a company that processes 1.7 trillion DNS queries a day and analyzes 100 billion queries a day from our global service provider customers, we are in a unique position to gain insights.

New core domains are often used for phishing, ransomware and Command and Control (C&C) of botnets amongst other things. By applying proprietary methods, we can block domains before they cause widespread damage. Unlike other security solutions that typically block these domains only after cybercriminals have stopped using them and moved on to something new - which they tend to do within one to two days, or less.
Letting machines learn

It's obviously not feasible for human researchers to analyze massive amounts of domains in real time. Our human data science capabilities are combined with patented threat detection methods such as machine learning, anomaly detection, clustering algorithms and more to enable us to pinpoint suspicious query activity, conduct analysis and identify and block malicious domains within minutes.

The truth is, millions of "new" core domains - domains that have never before been seen - are discovered every day. Not all of these are malicious but a large percentage are generated by domain generation algorithms (DGAs). Thus, we must look for distinct patters and queries against these domains.

Our security and data science team have developed unique algorithms to detect a variety of anomalies. One set of algorithms queries patterns to determine if they match a specific profile of known malicious activity, while another type of algorithm applies advanced machine learning techniques to these "anomalous" names to pinpoint the malicious activity. These algorithms use attributes for each domain name to calculate a vector and measure how closely it compares with every other name. This process exposes subtle patterns that link different names to a single malware family.

Caption: L: Volume of queries hour-by-hour for a subset of new core domains. R: New core domain query counts one day after creation, for one specific attack within each family of malware.