0

I am working on a research project where we segregate domains used for malicious purpose from benign domains.

However, my guide does not want the term malicious domain and benign domain in the paper. This is because, according to him, a domain in itself does not have an intent (which is quite correct), however it is the tool of the adversary's hand, its intentions directly connected to the adversary's ideals.

I am a bit torn here - I have seen every research paper talking about malicious and benign domains without going into so much detail. How do I establish the definitions of benign and malicious when it comes to domains?

So how can I formally define a benign and malicious domain?

Jishan
  • 193
  • 8

1 Answers1

1

Was the intent behind the registration of the domain name to harm others? Then it's a "malicious domain" by definition.

But can the intent be so clear from the start?

"Benign domain" sets up perhaps a poor dichotomy. A domain with good intent may be compromised to act with bad intent. Is it still a "benign" domain?

You appear to me to set up the correct model at the start of your question: "domains used for malicious purposes". It makes it about what it did, which is easier to define and delineate. You can shorten this to "malicious domain". It also allows you to define those domains that have been compromised to perform malicious acts: "compromised domains". "Benign domains", then, can be defined as those domains that are not known to have acted maliciously. That last one gives you some room to be unsure about their intent or use.

It does depend a lot on how you are defining "malicious" and "benign" for the purposes of your paper.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Exactly. Is it generally okay (in academia) to leave `room to be unsure`? As you mentioned, let me a present a real world scenario that I am finding hard to classify either as malicious or as benign: the Pony bot generally uses C&C pages that are actual benign websites (it steals FTP passwords and sets up next C&C). How do I classify that subset of domains? Based on the intent or the final usage scenario? – Jishan Aug 18 '18 at 20:37
  • 1
    Talk to your advisor, but any maths or logic model has to be able to leave room for an "other" category. We have proven Academics and ... others (they may be academics, they may not, we only have proof of the positive of the set that is).. – schroeder Aug 18 '18 at 20:47
  • 1
    For your example, it all depends on your *taxonomy*. And that's for you to decide based on your goals and approach. – schroeder Aug 18 '18 at 20:48
  • Okay. I think I will just add a section defining what mal/benign in the context of my paper. – Jishan Aug 18 '18 at 20:56