Annual Computer Security Applications Conference (ACSAC) 2023

Domain and Website Attribution beyond WHOIS

Currently, WHOIS is the main method for identifying which company or individual owns a domain or website. But, WHOIS usefulness is limited due to privacy protection services and data redaction. We present a novel automated approach for domain and website attribution. When WHOIS data does not reveal the owner, our approach leverages information from multiple other sources such as passive DNS, TLS certificates, and the analysis of website content. We propose a novel ranking technique to select the domain owner among multiple identified entities. Our approach identifies the domain owner with an F1 score of 0.94 compared to 0.54 for WHOIS. When applied on 3,001 tracker domains from the popular Disconnect list, it identifies needed updates to the list. It also attributes 84% of previously unattributed tracker domains.

Silvia Sebastián
IMDEA Software Institute

Raluca-Georgia Diugan
IMDEA Software Institute

Juan Caballero
IMDEA Software Institute

Iskander Sanchez-Rola
Norton Research Group

Leyla Bilge
Norton Research Group

Paper (ACM DL)

Slides