Google-UMD Cybersecurity Seminar: "Internet Monitoring via DNS Traffic Analysis" by Dr. Wenke Lee

Thu Nov 08, 2012 5:00 PM

Location: 1115 Computer Science Instructional Center (CSI)

Registration required. Click here to register for this semiar.

In recent years miscreants have been leveraging the Domain Name System (DNS) to build Internet-scale malicious network infrastructures for malware command and control (C&C). In this talk, Dr. Lee will describe his DNS traffic analysis work that aims to identify the C&C domains and hence the infected hosts, and gain insights into malware operations.

Dr. Lee will describe Kopis, a system that passively monitors DNS traffic at the upper levels of the DNS hierarchy, analyzes global DNS query resolution patterns, and identifies domains likely associated with malware activities. Kopis has high detection rates (e.g., 98.4%) and low false positive rates (e.g., 0.3% or 0.5%). In addition, Kopis is able to detect new malware domains days or even weeks before they appear in public blacklists and security forums. For example, it discovered the rise of a previously unknown DDoS botnet based in China in 2010.

Dr. Lee will also present a study of the DNS infrastructure used by mobile apps. Using traffic obtained from a major US cellular provider as well as a major US non-cellular Internet service provider, Dr. Lee and his team identified the DNS domains looked up by mobile apps, and analyzed information related to the Internet hosts pointed to by these domains. They found that the DNS infrastructure used by mobile apps is part of the infrastructure used by applications in non-cellular world; in other words, the mobile web is part of the Internet. They saw evidence that the criminals behind mobile malware may be the same as those behind botnets and malware in non-cellular world: about 48,098 hosts known to be associated with malicious activities are also pointed to by unknown (likely malicious) domains looked up by mobile apps. They also found that the network characteristics of major, widespread mobile threats are very similar to those of non-cellular botnets. These findings demonstrate that malicious mobile apps and non-cellular malware have commonalities in DNS infrastructure and network characteristics, and therefore, there is a need to develop a DNS monitoring and reputation system for cellular carriers similar to the ones already developed for non-cellular ISPs.

Dr. Wenke Lee is a Professor in the School of Computer Science, College of Computing, the Georgia Institute of Technology. He received his Ph.D. in Computer Science from Columbia University in the City of New York in 1999. Prior to joining Georgia Tech, he was an Assistant Professor in the Computer Science Department at the North Carolina State University from 1999 to 2001.

Dr. Lee works in systems and network security. His current research projects are in the areas of botnet detection, malware analysis, virtual machine monitoring, and Web 2.0 security and privacy, with funding from NSF, DHS, and DoD. He has published over 100 articles with more than 20 of them cited more than 100 times. In 2006, Dr. Lee co-founded Damballa, Inc., a spin-off from his lab that focuses on botnet detection and mitigation.