Project Coordinator: Dr. Eng. Ionuț Eugen SANDU – Scientific Researcher III

General objective of the project

The general objective of the project is to research, design, develop and implement an intelligent domain monitoring platform that performs a dynamic analysis on domain names in order to detect, using Artificial Intelligence, operations that can hijack the functionality of domains, for increasing cyber security and, implicitly, in obtaining a safe Internet.

Project description

The project has the goal to develop the architecture of an active domain monitoring platform to track the entire course of a domain, from its registration to marking as a possible compromised domain to its subsequent rehabilitation.

The introduction of the concept of domain reputation allows for easy identification of compromised domain names so that it becomes increasingly difficult for attackers to operate compromised computer networks, and for phishing techniques, to allow the user to be alerted to the true identity of the domain they access and to which they entrust their personal data.

Over the years, different techniques have been studied to detect and identify potentially malicious domain names: Notos, Exposure, Kopis, developing algorithms and tools that can identify such a domain with 97% accuracy, the rest of 3% representing "false positive" results or in the authors' terms, collateral victims.

The registry stores a considerable set of historical data of .ro domains, which can be modeled within a monitoring system so that unusual operations that may occur when the parameters of a certain domain are changed can be detected.

These operations include but are not limited to: changing nameservers, adding A (alias) or CNAME (canonical name) entries, which can hijack the proper functioning of a domain by turning it into a shield for BOTNETs or as a proxy for sites that collect data (phishing).

The results of the analysis of domains are stored in lists called "blacklist" or "blocklist". These lists can be queried by interested parties to verify the presence of a domain, and based on this information alerts can be triggered or the traffic to that site can be blocked.

The project aims to explore the most important existing technologies and tools with the aim to develop a platform that allows the detection of potentially malicious domains registered by the .ro Registry. For this, the main relevant parameters in determining the status of a domain will be identified and, based on them, an AI model will be developed to detect potentially malicious domains.

Innovative theoretical and applied results will be developed, in the form of studies, technical reports, ML models, with an emphasis on the development of the platform that will allow establishing the reputation of .ro domains.

Estimated results

After the implementation of the solution proposed, it is expected that the following results will be obtained:

• Dynamic system to allow establishing the reputation of a . ro domain, using machine learning techniques;
• Conceptual model of the intelligent platform, which will allow increasing the degree of trust in .ro domains and the number of registrations;
• Proactive solution for the prevention of cyber incidents, which leads to a decrease in the number of cyber attacks targeting .ro domains;
• Sanitized .ro domain ecosystem, resulting in increased trust in the .ro Registry domains;
• Tool/system for identifying compromised domains or with a high potential to be compromised by using AI technologies to establish the malicious pattern of a domain;
• Methodology for managing domains identified as compromised (steps: identification, scanning, alerting the owner, remediation, obtaining the domain status "ok/trusted/sanitized");
• Experimental model and prototype of intelligent Internet domain monitoring platform by developing a dynamic reputation establishment system;
• Good practices and training materials and use of the platform by users;
• Articles, participation in conferences, etc.