Title: Solving Evolving Security Problems with Long-Term DNS data

Yizheng Chen

Ph.D. student

School of Computer Science

College of Computing

Georgia Institute of Technology

Date: Tuesday, June 13th, 2017

Time: 2 PM - 4 PM (ET)

Location: Klaus 3126

Committee:

------------------------

Dr. Emmanouil Antonakakis (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Wenke Lee (Co-advisor, School of Computer Science, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Raheem Beyah (School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Roberto Perdisci (Dept. of Computer Science, University of Georgia and School of Computer Science, Georgia Tech)

Abstract

------------------------

DNS data are commonly used to build domain name reputation systems, identify critical criminal infrastructure, help take-down efforts, detect DGAs (Domain Generation Algorithms), facilitate the detection of malware downloading and social engineering, etc. We can also use long-term DNS data to address security problems that evolve over time. We apply machine learning techniques to study the evolution of disposable domains, analyze long-term financial damages caused by a botnet’s impression fraud, and track malvertising campaigns.

Unfortunately, these machine learning systems themselves are not secure and prone to be attacked. Most existing work in adversarial learning has focused on problems in the classifier, where the features can be directly computed from the spam email, PDF binary, phishing page, image, network attack packet, and exploit kit. These security applications classify an object based on local features extracted from only that object and its behavior. Our work highlights areas in adversarial machine learning that have not yet been addressed, specifically: graph-based clustering techniques, and a global feature space where realistic attackers without perfect knowledge must be considered by the defenders. We design and evaluate two novel graph attacks against a state-of-the-art network-level, graph-based detection system. Even less informed attackers can evade graph clustering with low cost, however, we show practical defenses exist.