Currently, WHOIS is the main method for identifying which company or individual owns a domain or website. But, WHOIS useful- ness is limited due to privacy protection services and data redaction. We present a novel automated approach for domain and website attribution. When WHOIS data does not reveal the owner, our approach leverages information from multiple other sources such as passive DNS, TLS certificates, and the analysis of website content. We propose a novel ranking technique to select the domain owner among multiple identified entities. Our approach identifies the domain owner with an F1 score of 0.94 compared to 0.54 for WHOIS. When applied on 3,001 tracker domains from the popular Disconnect list, it identifies needed updates to the list. It also attributes 84% of previously unattributed tracker domains.
Silvia Sebastián
Cybersecurity Researcher
I am a Cybersecurity Researcher in IMDEA Software Institute with seven years of experience in Attribution, Web Security, and Cyber Intelligence.