*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Ph.D. Thesis Defense Announcement
Title: Improving Internet Security via Large-Scale Passive and Active DNS Monitoring
Manos Antonakakis
School of Computer Science
College of Computing
Georgia Tech
manos@cc.gatech.edu
Date: Thursday, May 17, 2012
Time: 12:00pm - 3:00pm EDT
Location: KACB 3126 ("GTISC War Room")
Committee:
Abstract:
The Domain Name System (DNS) is a critical component of the Internet. DNS provides the ability to map human-readable and memorable domain names to machine-level IP addresses and other records. These mappings lie at the heart of the Internet's success and are essential for the majority of core Internet applications and protocols.
The critical nature of DNS means that it is often the target of abuse. Cyber-criminals rely heavily upon the reliability and scalability of the DNS protocol to serve as an agile platform for their illicit operations. For example, modern malware and Internet fraud techniques rely upon DNS to locate their remote command-and- control (C&C) servers through which new commands from the attacker are issued, serve as exfiltration points for information stolen from the victims' computers, and to manage subsequent updates to their malicious toolset.
The research described in this thesis scientifically addresses problems in the area of DNS-based detection of illicit operations. In detail, this research studies new methods to quantify and track dynamically changing reputations for DNS based on passive network measurements. The research also investigates methods for the creation of early warning systems for DNS. These early warning systems enables the research community to identify emerging threats (e.g., new botnets and malware infections) across the DNS hierarchy in a timelier manner.
This dissertation makes the following contributions. Contribution in Dynamic Reputation Systems for DNS: To address the limitation of static domain name blacklists we developed Notos[1], a dynamic reputation system for DNS. Notos uses passive DNS evidence from recursive DNS servers to distinguish between benign and malicious domain names using historical learning techniques. Notos allows us to statistically correlate the two planes in DNS: the name space and the address space. The primary goal of Notos is to automatically assign a low reputation score to a domain that is involved in malicious activities, such as malware C&C, "phishing", and spam campaigns. Conversely, we want to assign a high reputation score to domains that are used for legitimate purposes.
Contribution towards DNS-based Malware Detection at the DNS Authority Level: The first component of the early warning system we developed is named Kopis[2]. Kopis operates in the upper layers of the DNS hierarchy and is capable of detecting malware-related domain names "on-the-rise". This early warning system can be independently deployed and operated by the top-level domain (TLD) and authoritative DNS (ANS) operators. The system enables TLD and ANS operators to detect malware-related domains from within their authority zones without the need for data from other networks or other inter-organizational coordination. The detection of such malware related domain names typically comes days or even weeks before the domains appear in public blacklists.
Contribution towards DNS-based Malware Detection at the DNS Recursive Level: Pleiades[3] is the second component of our early warning system against rising malware threats. In particular Pleiades is able to detect the rise of Domain Name Generation (DGA) based botnets in a local network by statistical modeling of the unsuccessful DNS resolutions at the recursive DNS level of the monitored network. Pleiades is able to learn models from traffic generated by already known DGA-based malware and to detect active infections in the monitored networks.
[1] Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N., "Building a Dynamic Reputation System for DNS," in the Proceedings of 19th USENIX Security Symposium (USENIX Security '10), 2010.
[2] Antonakakis, M., Perdisci, R., Lee, W., Dagon, D., and Vasiloglou, N., "Detecting Malware Domains at the Upper DNS Hierarchy," in the Proceedings of 20th USENIX Security Symposium (USENIX Security '11), 2011.
[3] Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D., "From Throw-Away Traffic to
Bots: Detecting the Rise of DGA-Based Malware," to appear in the Proceedings of 21th USENIX Security Symposium (USENIX Security '12), 2012.
