{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:35:27Z","timestamp":1767339327040,"version":"3.41.0"},"reference-count":26,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2021,1,22]],"date-time":"2021-01-22T00:00:00Z","timestamp":1611273600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"name":"Flemish Research Programme Cybersecurity"},{"name":"Research Fund KU Leuven"},{"name":"project commissioned by EURid"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2021,3,31]]},"abstract":"\n DNS is one of the most essential components of the Internet, mapping domain names to the IP addresses behind almost every online service. Domain names are therefore also a fundamental tool for attackers to quickly locate and relocate their malicious activities on the Internet. In this article, we design and evaluate P\n remadoma<\/jats:sc>\n , a solution for DNS registries to predict malicious intent well before a domain name becomes operational. In contrast to blacklists, which only offer protection after some harm has already been done, this system can prevent domain names from being used before they can pose any threats. We advance the state of the art by leveraging recent insights into the ecosystem of malicious domain registrations, focusing explicitly on facilitators employed for bulk registration and similarity patterns in registrant information. We thoroughly evaluate the proposed prediction model\u2019s performance and adaptability on an 11-month testing set and address complex and domain-specific dataset challenges. Moreover, we have successfully deployed P\n remadoma<\/jats:sc>\n in the operational environment of the .eu ccTLD registry, resulting in a decline of malicious registrations. Finally, we have identified and quantified three possible evasion patterns and have observed changes in the malicious registration ecosystem since P\n remadoma<\/jats:sc>\n has been operationalized.\n <\/jats:p>","DOI":"10.1145\/3419476","type":"journal-article","created":{"date-parts":[[2021,1,22]],"date-time":"2021-01-22T11:29:49Z","timestamp":1611314989000},"page":"1-24","update-policy":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["P\n remadoma<\/scp>"],"prefix":"10.1145","volume":"2","author":[{"given":"Lieven","family":"Desmet","sequence":"first","affiliation":[{"name":"imec - DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jan","family":"Spooren","sequence":"additional","affiliation":[{"name":"imec - DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thomas","family":"Vissers","sequence":"additional","affiliation":[{"name":"imec - DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Peter","family":"Janssen","sequence":"additional","affiliation":[{"name":"EURid VZW, Machelen, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wouter","family":"Joosen","sequence":"additional","affiliation":[{"name":"imec - DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,1,22]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/1929820.1929844"},{"key":"e_1_2_1_2_1","volume-title":"Proceedings of the 20th USENIX Conference on Security. USENIX Association","author":"Antonakakis Manos","year":"2011","unstructured":"Manos Antonakakis , Roberto Perdisci , Wenke Lee , Nikolaos Vasiloglou II, and David Dagon . 2011 . Detecting malware domains at the upper DNS hierarchy . In Proceedings of the 20th USENIX Conference on Security. USENIX Association , Berkeley, CA, 27--27. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/dl.acm.org\/citation.cfm?id= 2028067.2028094. Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou II, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the 20th USENIX Conference on Security. USENIX Association, Berkeley, CA, 27--27. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/dl.acm.org\/citation.cfm?id=2028067.2028094."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2584679"},{"volume-title":"Proceedings of the 13th International Joint Conference on Artificial Intelligence, Ruzena Bajcsy (Ed.). Morgan Kaufmann","author":"Usama","key":"e_1_2_1_4_1","unstructured":"Usama M. Fayyad and Keki B. Irani. 1993. Multi-interval discretization of continuous-valued attributes for classification learning . In Proceedings of the 13th International Joint Conference on Artificial Intelligence, Ruzena Bajcsy (Ed.). Morgan Kaufmann , San Francisco, CA, 1022--1029. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/ijcai.org\/Proceedings\/93-2\/Papers\/022.pdf. Usama M. Fayyad and Keki B. Irani. 1993. Multi-interval discretization of continuous-valued attributes for classification learning. In Proceedings of the 13th International Joint Conference on Artificial Intelligence, Ruzena Bajcsy (Ed.). Morgan Kaufmann, San Francisco, CA, 1022--1029. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/ijcai.org\/Proceedings\/93-2\/Papers\/022.pdf."},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. USENIX Association","author":"Felegyhazi Mark","year":"2010","unstructured":"Mark Felegyhazi , Christian Kreibich , and Vern Paxson . 2010 . On the potential of proactive domain blacklisting . In Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. USENIX Association , Berkeley, CA, 6--6. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/dl.acm.org\/citation.cfm?id= 1855686.1855692. Mark Felegyhazi, Christian Kreibich, and Vern Paxson. 2010. On the potential of proactive domain blacklisting. In Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. USENIX Association, Berkeley, CA, 6--6. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/dl.acm.org\/citation.cfm?id=1855686.1855692."},{"volume-title":"Proceedings of the 15th International Conference on Machine Learning (ICML\u201998)","author":"Frank Eibe","key":"e_1_2_1_6_1","unstructured":"Eibe Frank and Ian H. Witten . 1998. Generating accurate rule sets without global optimization . In Proceedings of the 15th International Conference on Machine Learning (ICML\u201998) . Morgan Kaufmann Publishers Inc., San Francisco, CA, 144--151. Eibe Frank and Ian H. Witten. 1998. Generating accurate rule sets without global optimization. In Proceedings of the 15th International Conference on Machine Learning (ICML\u201998). Morgan Kaufmann Publishers Inc., San Francisco, CA, 144--151."},{"key":"e_1_2_1_7_1","unstructured":"Google. 2016. Google Safe Browsing. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/developers.google.com\/safe-browsing\/. Google. 2016. Google Safe Browsing. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/developers.google.com\/safe-browsing\/."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068842"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS\u201916)","author":"Hao Shuang","year":"2016","unstructured":"Shuang Hao , Alex Kantchelian , Brad Miller , Vern Paxson , and Nick Feamster . 2016 . PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration . In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS\u201916) . ACM, New York, NY, 1568--1579. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/2976749.2978317 10.1145\/2976749.2978317 Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS\u201916). ACM, New York, NY, 1568--1579. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/2976749.2978317"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 2013 Conference on Internet Measurement Conference. ACM","author":"Hao Shuang","year":"2013","unstructured":"Shuang Hao , Matthew Thomas , Vern Paxson , Nick Feamster , Christian Kreibich , Chris Grier , and Scott Hollenbeck . 2013 . Understanding the domain registration behavior of spammers . In Proceedings of the 2013 Conference on Internet Measurement Conference. ACM , New York, NY, 63--76. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/doi.acm.org\/10.1145\/2504730.2504753. Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, and Scott Hollenbeck. 2013. Understanding the domain registration behavior of spammers. In Proceedings of the 2013 Conference on Internet Measurement Conference. ACM, New York, NY, 63--76. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/doi.acm.org\/10.1145\/2504730.2504753."},{"volume-title":"The Elements of Statistical Learning","author":"Hastie Trevor","key":"e_1_2_1_11_1","unstructured":"Trevor Hastie , Robert Tibshirani , and Jerome Friedman . 2001. The Elements of Statistical Learning . Springer New York Inc ., New York, NY. Trevor Hastie, Robert Tibshirani, and Jerome Friedman. 2001. The Elements of Statistical Learning. Springer New York Inc., New York, NY."},{"key":"e_1_2_1_12_1","unstructured":"ICANN. 2013. 2013 Registrar Accreditation Agreement. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.icann.org\/resources\/pages\/approved-with-specs-2013-09-17-en#whois-accuracy. ICANN. 2013. 2013 Registrar Accreditation Agreement. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.icann.org\/resources\/pages\/approved-with-specs-2013-09-17-en#whois-accuracy."},{"key":"e_1_2_1_13_1","volume-title":"2018 1st International Conference on Data Intelligence and Security (ICDIS\u201918)","author":"Kidmose E.","year":"2018","unstructured":"E. Kidmose , E. Lansing , S. Brandbyge , and J. M. Pedersen . 2018. Detection of malicious and abusive domain names . In 2018 1st International Conference on Data Intelligence and Security (ICDIS\u201918) . IEEE, South Padre Island, TX, 49--56. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1109\/ICDIS. 2018 .00015 10.1109\/ICDIS.2018.00015 E. Kidmose, E. Lansing, S. Brandbyge, and J. M. Pedersen. 2018. Detection of malicious and abusive domain names. In 2018 1st International Conference on Data Intelligence and Security (ICDIS\u201918). IEEE, South Padre Island, TX, 49--56. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1109\/ICDIS.2018.00015"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/3468.618255"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5555\/1972441.1972448"},{"key":"e_1_2_1_16_1","unstructured":"MaxMind Inc. 2016. GeoLite2 Free Downloadable Databases. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dev.maxmind.com\/geoip\/geoip2\/geolite2\/. MaxMind Inc. 2016. GeoLite2 Free Downloadable Databases. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dev.maxmind.com\/geoip\/geoip2\/geolite2\/."},{"key":"e_1_2_1_17_1","volume-title":"IEEE\/IFIP Network Operations and Management Symposium (NOMS\u201916)","author":"Moura Giovane C. M.","year":"2016","unstructured":"Giovane C. M. Moura , Moritz M\u00fcller , Maarten Wullink , and Cristian Hesselman . 2016 . nDEWS: A new domains early warning system for TLDs . In IEEE\/IFIP Network Operations and Management Symposium (NOMS\u201916) . IEEE, IEEE, Istanbul, Turkey, 1061--1066. Giovane C. M. Moura, Moritz M\u00fcller, Maarten Wullink, and Cristian Hesselman. 2016. nDEWS: A new domains early warning system for TLDs. In IEEE\/IFIP Network Operations and Management Symposium (NOMS\u201916). IEEE, IEEE, Istanbul, Turkey, 1061--1066."},{"key":"e_1_2_1_18_1","unstructured":"Rob Renaud. 2016. Gibberish Detector. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/rrenaud\/Gibberish-Detector. Rob Renaud. 2016. Gibberish Detector. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/rrenaud\/Gibberish-Detector."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC\u201919)","author":"Spooren Jan","year":"2019","unstructured":"Jan Spooren , Thomas Vissers , Peter Janssen , Wouter Joosen , and Lieven Desmet . 2019 . Premadoma: An operational solution for DNS registries to prevent malicious domain registrations . In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC\u201919) . Association for Computing Machinery, New York, NY, 557--567. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/3359789.3359836 10.1145\/3359789.3359836 Jan Spooren, Thomas Vissers, Peter Janssen, Wouter Joosen, and Lieven Desmet. 2019. Premadoma: An operational solution for DNS registries to prevent malicious domain registrations. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC\u201919). Association for Computing Machinery, New York, NY, 557--567. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/3359789.3359836"},{"key":"e_1_2_1_20_1","unstructured":"SURBL. 2016. SURBL - URI Reputation Data. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/www.surbl.org. SURBL. 2016. SURBL - URI Reputation Data. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/www.surbl.org."},{"key":"e_1_2_1_21_1","unstructured":"The Spamhaus Project Ltd. 2016. The Domain Block List. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.spamhaus.org\/dbl\/. The Spamhaus Project Ltd. 2016. The Domain Block List. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.spamhaus.org\/dbl\/."},{"key":"e_1_2_1_22_1","volume-title":"2019 IEEE Security and Privacy Workshops (SPW\u201919)","author":"Vissers T.","year":"2019","unstructured":"T. Vissers , P. Janssen , W. Joosen , and L. Desmet . 2019. Assessing the effectiveness of domain blacklisting against malicious DNS registrations . In 2019 IEEE Security and Privacy Workshops (SPW\u201919) . IEEE, San Francisco, CA, 199--204. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1109\/SPW. 2019 .00045 10.1109\/SPW.2019.00045 T. Vissers, P. Janssen, W. Joosen, and L. Desmet. 2019. Assessing the effectiveness of domain blacklisting against malicious DNS registrations. In 2019 IEEE Security and Privacy Workshops (SPW\u201919). IEEE, San Francisco, CA, 199--204. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1109\/SPW.2019.00045"},{"key":"e_1_2_1_23_1","volume-title":"Frank Piessens, Wouter Joosen, and Lieven Desmet.","author":"Vissers Thomas","year":"2017","unstructured":"Thomas Vissers , Jan Spooren , Pieter Agten , Dirk Jumpertz , Peter Janssen , Marc Van Wesemael , Frank Piessens, Wouter Joosen, and Lieven Desmet. 2017 . Exploring the ecosystem of malicious domain registrations in the .eu TLD. In International Symposium on Research in Attacks, Intrusions, and Defenses, Marc Dacier, Michael Bailey, Michalis Polychronakis, and Manos Antonakakis (Eds.). Springer International Publishing , Cham, 472--493. Thomas Vissers, Jan Spooren, Pieter Agten, Dirk Jumpertz, Peter Janssen, Marc Van Wesemael, Frank Piessens, Wouter Joosen, and Lieven Desmet. 2017. Exploring the ecosystem of malicious domain registrations in the .eu TLD. In International Symposium on Research in Attacks, Intrusions, and Defenses, Marc Dacier, Michael Bailey, Michalis Polychronakis, and Manos Antonakakis (Eds.). Springer International Publishing, Cham, 472--493."},{"key":"e_1_2_1_24_1","volume-title":"Proceedings of the 1st Workshop on Radical and Experiential Security (RESEC\u201918)","author":"Weber Michael","year":"2018","unstructured":"Michael Weber , Jun Wang , and Yuchen Zhou . 2018 . Unsupervised clustering for identification of malicious domain campaigns . In Proceedings of the 1st Workshop on Radical and Experiential Security (RESEC\u201918) . Association for Computing Machinery, New York, NY, 33--39. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/3 203422.3203423 10.1145\/3203422.3203423 Michael Weber, Jun Wang, and Yuchen Zhou. 2018. Unsupervised clustering for identification of malicious domain campaigns. In Proceedings of the 1st Workshop on Radical and Experiential Security (RESEC\u201918). Association for Computing Machinery, New York, NY, 33--39. DOI:https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/3203422.3203423"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 2014 Virus Bulletin International Conference. Virus Bulletin","author":"Xu Wei","year":"2014","unstructured":"Wei Xu , Kyle Sanders , and Yanxin Zhang . 2014 . We know it before you do: Predicting malicious domains . In Proceedings of the 2014 Virus Bulletin International Conference. Virus Bulletin , Seattle, WA, 73--77. Wei Xu, Kyle Sanders, and Yanxin Zhang. 2014. We know it before you do: Predicting malicious domains. In Proceedings of the 2014 Virus Bulletin International Conference. Virus Bulletin, Seattle, WA, 73--77."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2007.1078"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dl.acm.org\/doi\/10.1145\/3419476","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dl.acm.org\/doi\/pdf\/10.1145\/3419476","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:01:42Z","timestamp":1750197702000},"score":1,"resource":{"primary":{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dl.acm.org\/doi\/10.1145\/3419476"}},"subtitle":["An Operational Solution to Prevent Malicious Domain Name Registrations in the .eu TLD"],"short-title":[],"issued":{"date-parts":[[2021,1,22]]},"references-count":26,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,3,31]]}},"alternative-id":["10.1145\/3419476"],"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/3419476","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2021,1,22]]},"assertion":[{"value":"2020-05-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-01-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}