Georgia Institute of Technology & WhoisXML API: Early Threat Detection
About
Malicious infrastructures often include registered domain names and subdomains that have been used previously, which could make historical domain registration records crucial signals that a domain is likely to be used maliciously. With this in mind, Vinny Adjibi, a PhD student at the Georgia Institute of Technology, sought to develop a novel domain reputation metric that can predict threats based on a domain's WHOIS history.
Highlights
-
Domain registration history can provide valuable threat signals that predict the likelihood that a domain will be used in malicious campaigns.
-
Getting access to well-parsed historical WHOIS data was challenging, but crucial for the researcher to analyze such signals.
-
WHOIS History API allowed the researcher to access the much-needed data and streamline the entire threat analysis process.
How to Access Normalized Domain History Data
A critical challenge in threat prediction is identifying domains likely to be used for malicious purposes, and one possible way to achieve this is by accessing historical WHOIS records in view of uncovering potential threat signals.
However, the researcher found that WHOIS history data is often unparsed, making it difficult to access and leverage it for in-depth analysis.
Well-Parsed WHOIS History with Useful API Parameters
The researcher used WHOIS History API to access well-curated historical WHOIS records to obtain relevant registration and expiration dates within a given timeframe. The API’s easy implementation and helpful parameters significantly simplified record querying.
For example, the skipliveWHOIS parameter of WHOIS History API streamlined the pipeline since the API did not have to retrieve the current WHOIS data of the domains.
“Whois XML API products represent an invaluable resource for security researchers, seamlessly integrating within complex pipelines with ease.”
Early Domain Threat Detection
Access to Well-Parsed and Extensive Historical Domain Data
Through WHOIS History API, the researcher was able to access extensive historical WHOIS records dating back to at least early 2011. This broad historical view spanning nearly 15 years is crucial in identifying long-term patterns of malicious usage.
Efficient WHOIS History Data Queries
The well-parsed data, along with flexible API parameters and detailed documentation, considerably reduced the time required for the researcher’s work. The API helped him save a remarkable 94% in the number of domains that needed to be queried and several days that would have been spent on manual WHOIS parsing.