Title: Empirical Analysis of Existing and Emerging Threats at Scale Using DNS

Chaz Lever
Ph.D. Candidate
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Friday, December 15th, 2017
Time: 1 PM - 3 PM (ET)
Location: Klaus 2100 (UPDATED)

Committee:
------------------------
Dr. Emmanouil Antonakakis (Advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology)
Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology)
Dr. Douglas Blough (School of Electrical and Computer Engineering, Georgia Institute of Technology)
Dr. Roberto Perdisci (Dept. of Computer Science, University of Georgia and School of Computer Science, Georgia Tech)

Dr. Fabian Monrose (Dept. of Computer Science, University of North Carolina, Chapel Hill)

Abstract:
------------------------

The security landscape is constantly evolving. Therefore, in order to build better defenses, it is critical to evaluate emerging and existing threats to better understand how and where to prioritize future security efforts. Ideally, such evaluation of threats should be based on real world data, but this introduces a number of challenges. In particular, real world data must be collected, parsed, and cleaned before any sort of analysis can proceed.

The work in this thesis provides an empirical analysis of numerous existing or emerging threats using real world data at scale. As such, it provides the first real world study on the emergence mobile malware by studying network traffic from almost 25M devices—showing that security practices on popular mobile device platforms appear to be fairly effective. In addition, it studies the unintended security consequences of hundreds of millions of domain expirations over several years and shows that malware is increasingly using expired domains for abuse—as well as providing a lightweight algorithm for detecting such expirations. Finally, it studies the evolution of 27M malware collected over almost a half decade— confirming some existing findings at scale and identifying several shortcomings of the current state of the art.