log in  |  register  |  feedback?  |  help  |  web accessibility
Google-UMD Cybersecurity Seminar: Internet Monitoring via DNS Traffic Analysis
Thursday, November 8, 2012, 5:00-6:00 pm Calendar
  • You are subscribed to this talk through .
  • You are watching this talk through .
  • You are subscribed to this talk. (unsubscribe, watch)
  • You are watching this talk. (unwatch, subscribe)
  • You are not subscribed to this talk. (watch, subscribe)
Registration requested: The organizer of this talk requests that you register if you are planning to attend. There are two ways to register: (1) You can create an account on this site (click the "register" link in the upper-right corner) and then register for this talk; or (2) You can enter your details below and click the "Register for talk" button. Either way, you can always cancel your registration later.




Talk Title: Internet Monitoring via DNS Traffic Analysis



In recent years miscreants have been leveraging the Domain Name System (DNS) to build Internet-scale malicious network infrastructures for malware command and control (C&C). In talk, I will describe our DNS traffic analysis work that aims to identify the C&C domains and hence the infected hosts, and gain insights into malware operations.


First, I will describe Kopis, a system that passively monitors DNS traffic at the upper levels of the DNS hierarchy, analyzes global DNS query resolution patterns, and identifies domains likely associated with malware activities. Kopis has high detection rates (e.g., 98.4%) and low false positive rates (e.g., 0.3% or 0.5%). In addition, Kopis is able to detect new malware domains days or even weeks before they appear in public blacklists and security forums. For example, it discovered the rise of a previously unknown DDoS botnet based in China in 2010.


Second, I will present a study of the DNS infrastructure used by mobile apps. Using traffic obtained from a major US cellular provider as well as a major US non-cellular Internet service provider, we identified the DNS domains looked up by mobile apps, and analyzed information related to the Internet hosts pointed to by these domains. We found that the DNS infrastructure used by mobile apps is part of the infrastructure used by applications in non-cellular world; in other words, the mobile web is part of the Internet. We saw evidence that the criminals behind mobile malware may be the same as those behind botnets and malware in non-cellular world: about 48,098 hosts known to be associated with malicious activities are also pointed to by unknown (likely malicious) domains looked up by mobile apps. We found that the network characteristics of major, widespread mobile threats are very similar to those of non-cellular botnets. These findings demonstrate that malicious mobile apps and non-cellular malware have commonalities in DNS infrastructure and network characteristics, and therefore, there a need to develop a DNS monitoring and reputation system for cellular carriers similar to the ones already developed for non-cellular ISPs.



Dr. Wenke Lee is a Professor in the School of Computer Science, College of Computing, the Georgia Institute of Technology. He received his Ph.D. in Computer Science from Columbia University in the City of New York in 1999. Prior to joining Georgia Tech, he was an Assistant Professor in the Computer Science Department at the North Carolina State University from 1999 to 2001.

Dr. Lee works in systems and network security. His current research projects are in the areas of botnet detection, malware analysis, virtual machine monitoring, and Web 2.0 security and privacy, with funding from NSF, DHS, and DoD.

Dr. Lee has published over 100 articles with more than 20 of them cited more than 100 times. In 2006, Dr. Lee co-founded Damballa, Inc., a spin-off from his lab that focuses on botnet detection and mitigation.

This talk is organized by Eric Chapman