*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Improving Access to DNS Datasets Through the Large-Scale Collection of Active-DNS Data
Date: Friday, February 24th
Time: 2 pm - 4 pm EST
Location: Klaus 1123
Athanasios Kountouras
Ph.D. Candidate
School of Cybersecurity and Privacy
College of Computing
Georgia Institute of Technology
Committee:
Dr. Manos Antonakakis (advisor), ECE, Georgia Institute of Technology
Dr. Mustaque Ahamad, CS, Georgia Institute of Technology
Dr. Angelos Keromytis, ECE, Georgia Institute of Technology
Dr. Roberto Perdisci, CS, University of Georgia
Dr. Chaz Lever, Senior Director - Security Research, Devo Technology Inc.
Abstract:
The Internet has changed significantly in size, interconnectedness, speed, capability, and usability over the years. Especially after a few years of remote work and remote learning, we can safely say that the Internet is an essential resource for the modern world. How- ever, even though the network has expanded massively since its inception, it still relies upon the same fundamental technologies that still form the backbone of interconnected networks. The Domain Name System (DNS) is one of those fundamental Internet technologies; its main task is to translate humanly readable domain names into resources on the ever-growing network. Because nearly all internet traffic, benign and malicious, utilizes DNS, the system has long been utilized by the security community, which has evolved along with the Internet to help battle new and ever more sophisticated threats, and DNS has been proven to be a valuable tool in that effort.
Studying the Domain Name System helps us understand how it can be abused and how it can also be a great tool in combating abuse. In order, though, for DNS to be useful for Internet defenders, they require access to quality datasets for identifying malicious behavior, building detection models, evaluating and running models on real-world datasets, and many more. Such datasets will enable the development of new algorithms and methodologies that can assist with the early detection, tracking, and overall lifetime of modern Internet threats.
To that end, this thesis presents the concept of Active DNS data collection through a distributed querying infrastructure. More specifically, we show how this new public dataset which we name Active DNS, compares against traditionally utilized passive DNS datasets and document our system’s unique features that enable it to function as an alternative to passive DNS data. We then demonstrate the ability of Active DNS data to detect online abuse by utilizing it to amplify already known malicious web infrastructure and potentially identify new abusive infrastructure before it’s even used. Finally, we show how our distributed querying system, Thales, allows us to study the operational aspects of the global DNS infrastructure, specifically investigating the proliferation of a new DNS extension and measuring the impact and efficacy of this new DNS extension through active probing.
