Earlier today we announced the release of the PatternEx malicious domain feed. The feed is updated periodically and is available on Github: https://github.com/patternex/patternex-feed
Description of the feed
The feed is released as a set of csv files, each with a maximum of 100K domains, where each line contains:
the detection date (yyyy-mm-dd)
the reported domain (for instance windowdowngradegreataflash[.]icu)
the category (currently we are reporting social engineering domains)
the score (probability of the domain being malicious)
Below we show a sample of domains detected on 2019-02-03:
Initial stats of the feed
As of the day of writing this document (2019-02-03), the feed contains 203.9K malicious domains. These domains are retrieved from the zone files of multiple top level domains (.bid, .click, .date, .download, .fun, .host, .icu, .link, .loan, .men, .online, .party, .pro, .racing, .review, .site, .space, .stream, .tech, .top, .trade, .website, .win, .works, .xyz, and .zip) available via the Centralized Zone Data service (https://czds.icann.org/en).
How to use the feed?
The feed is available for non-commercial use and without warranty. It may be used for any activity ranging from live detection or threat hunting to AI/ML. We encourage users to check whether the correlation of the PatternEx feed with the network traffic logs of their organization results in malicious findings missed by existing organizational security defenses. We would love to hear your success (or failure) stories (email@example.com)!
How is it different from other feeds?
In a nutshell, we identify many domains weeks before they are reported in any other blacklist. To back this claim, we presented a comparative analysis in a peer-reviewed paper at the IEEE BigData conference in December 2018 (https://ieeexplore.ieee.org/document/8622197).
Call to action
We look forward to expanding the feed by either analyzing other open data sources, or by detecting other categories of malicious domains. Either way, if you would like to contribute to this project please do get in touch (firstname.lastname@example.org).
In the the next blog of the domain detection series, we will provide details of the deep learning model used to generate the feed. Please keep posted for updates and don’t hesitate to share any success or failure stories using the feed!