Improving Internet Security via Large-Scale Passive and Active DNS Monitoring

A brief overview of my thesis as a guest talk at Atlanta's data science meetup [DSATL - Machine Learning and InfoSec]. 

Committee:

Dr. Wenke Lee (School of Computer Science, Georgia Tech)
Dr. Mustaque Ahamad (School of Computer Science, Georgia Tech)
Dr. Nick Feamster (School of Computer Science, Georgia Tech)
Dr. Patrick Gerard Traynor (School of Computer Science, Georgia Tech)
Dr. Fabian Monrose (Department of Computer Science, University of North Carolina at Chapel Hill)

Manos Antonakakis. "Improving Internet Security via Large-Scale Passive and Active DNS Monitoring." PhD Thesis. Georgia Institute of Technology, 2012. [pdf|cite]

Ph.D. Proposal presentation [pdf]
Ph.D. Defense presentation [pdf]

Abstract 

The Domain Name System (DNS) is a critical component of the Internet. DNS provides the ability to map human-readable and memorable domain names to machine-level IP addresses and other records. These mappings lie at the heart of the Internet's success and are essential for the majority of core Internet applications and protocols.

The critical nature of DNS means that it is often the target of abuse. Cyber-criminals rely heavily upon the reliability and scalability of the DNS protocol to serve as an agile platform for their illicit operations. For example, modern malware and Internet fraud techniques rely upon DNS to locate their remote command-and-control (C&C) servers through which new commands from the attacker are issued, serve as exfiltration points for information stolen from the victims' computers, and to manage subsequent updates to their malicious toolset.

The research described in this thesis scientifically addresses problems in the area of DNS-based detection of illicit operations. In detail, this research studies new methods to quantify and track dynamically changing reputations for DNS based on passive network measurements. The research also investigates methods for the creation of early warning systems for DNS. These early warning systems enables the research community to identify emerging threats (e.g., new botnets and malware infections) across the DNS hierarchy in a timelier manner.


Contributions

The dissertation makes the following contributions.
  • Contribution in Dynamic Reputation Systems for DNS: To address the limitation of static domain name blacklists we developed Notos[1], a dynamic reputation system for DNS. Notos uses passive DNS evidence from recursive DNS servers to distinguish between benign and malicious domain names using historical learning techniques. Notos allows us to statistically correlate the two planes in DNS: the name space and the address space. The primary goal of Notos is to automatically assign a low reputation score to a domain that is involved in malicious activities, such as malware C&C, "phishing", and spam campaigns. Conversely, we want to assign a high reputation score to domains that are used for legitimate purposes.
  • Contribution towards DNS-based Malware Detection at the DNS Authority Level: The first component of the early warning system we developed is named Kopis[2]. Kopis operates in the upper layers of the DNS hierarchy and is capable of detecting malware-related domain names "on-the-rise". This early warning system can be independently deployed and operated by the top-level domain (TLD) and authoritative DNS (ANS) operators. The system enables TLD and ANS operators to detect malware-related domains from within their authority zones without the need for data from other networks or other inter-organizational coordination. The detection of such malware related domain names typically comes days or even weeks before the domains appear in public blacklists.
  • Contribution towards DNS-based Malware Detection at the DNS Recursive Level: Pleiades[3] is the second component of our early warning system against rising malware threats. In particular Pleiades is able to detect the rise of Domain Name Generation (DGA) based botnets in a local network by statistical modeling of the unsuccessful DNS resolutions at the recursive DNS level of the monitored network. Pleiades is able to learn models from traffic generated by already known DGA-based malware and to detect active infections in the monitored networks.
  1. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N., "Building a Dynamic Reputation System for DNS," in the Proceedings of 19th USENIX Security Symposium (USENIX Security '10), 2010. [pdf|cite]
  2. Antonakakis, M., Perdisci, R., Lee, W., Dagon, D., and Vasiloglou, N., "Detecting Malware Domains at the Upper DNS Hierarchy," in the Proceedings of 20th USENIX Security Symposium (USENIX Security '11), 2011. [pdf|cite]
  3. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D., "From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware," to appear in the Proceedings of 21th USENIX Security Symposium (USENIX Security '12), 2012.  [pdf|cite]