The following is a summary of a series of proof-of-concept studies that examine the use of domain-name entropy to cluster related domain registrations and determine the potential threat level posed by a domain.



In previous studies, Shannon entropy was used to measure the amount of information stored in a domain name. Short domain names or those with repeated characters have low entropy values, while longer domain names or those with distinct characters have higher entropy.

The motivation behind this analysis is that domains registered for malicious purposes are often registered in bulk using automated algorithms. These domains tend to have long, nonsensical names with high entropy values, making them difficult to detect using traditional brand-monitoring techniques. The idea is that domains registered by the same infringer for a specific campaign will likely have similar entropy values due to the use of the same algorithm.

In an initial proof-of-concept study, a set of around 205,000 domains registered on a specific day was considered. This allowed for the identification of potentially automated bulk registrations that occurred simultaneously. The dataset showed a range of domain entropy values, with the majority (92.3%) having values below 3.500. The top 1,000 domains with the highest entropy values (0.49%) had values above 3.823 and exhibited characteristics suggestive of nefarious purposes, such as the use of consumer-grade registrars, privacy-protection services, and active MX records indicating potential phishing activity.

The analysis also revealed the presence of a "cluster" of suspicious registrations within the dataset. This cluster consisted of 125 .buzz domains with identical high entropy values (3.907), registered through a common registrar and associated with similar IP addresses. Many of these domains were linked to Chinese-language gambling-related websites that might be part of an affiliate revenue scheme or used as a cover for higher-threat content intended for specific geographic regions.

Overall, these proof-of-concept studies demonstrate the potential of using domain-name entropy as a tool for identifying and clustering related domain registrations, providing insights into the level of threat posed by a domain.

Bulk registrations refer to the process of registering multiple domain names at once, often for the purpose of owning a large number of similar or related domains. This can be done for various reasons, such as brand protection, marketing campaigns, or domain speculation.

High-entropy domains, on the other hand, are domain names that contain random or unpredictable combinations of characters, making them difficult to guess or predict. These domains often consist of a mix of letters, numbers, and symbols, and they may not have any obvious meaning or relevance to a specific brand or industry.

Both bulk registrations and high-entropy domains can raise concerns for domain administrators and security professionals. Bulk registrations can be associated with abusive behavior, such as phishing or spamming, while high-entropy domains can be used for malicious purposes, such as hosting phishing websites or launching targeted cyber attacks.

To mitigate these risks, domain administrators may implement measures such as monitoring bulk registration patterns, conducting thorough domain name analysis, and enforcing strict policies for high-entropy domains. Additionally, cybersecurity tools and techniques like threat intelligence feeds, machine learning algorithms, and behavioral analysis can be employed to identify and respond to potential threats associated with bulk registrations and high-entropy domains.

Bulk registrations can also be used for legitimate purposes, such as securing variations of a company's domain name to prevent cybersquatting or intellectual property infringement. This practice is commonly referred to as defensive registration and is a proactive approach to protecting a brand's online identity.

High-entropy domains, while potentially posing a security risk, can also be used for legitimate purposes, such as creating secure, unique subdomains for specific applications or services. In some cases, organizations may intentionally use high-entropy domains to provide an additional layer of security through obfuscation.

However, it's important for domain administrators and security professionals to remain vigilant when it comes to both bulk registrations and high-entropy domains. Proactive monitoring, threat intelligence sharing, and continuous evaluation of domain registration patterns and activities are essential for identifying and mitigating potential risks associated with these practices.

Overall, a balanced approach is necessary to address the challenges posed by bulk registrations and high-entropy domains, taking into account both the legitimate uses and potential security implications of these domain registration practices.