TUM Logo

Revealing Previously Unknown Malicious Domains leveraging DNS and WHOIS Data

Maintaining a blacklist of malicious websites and sifting through network traffic to detect nefarious activity is a difficult battle to fight. The rise in use of Domain Generation Algorithms (DGA) and similar techniques has only further hindered that fight by making the usefulness of static lists negligible. As a result security researchers have looked towards leveraging patterns in DNS information to detect malicious activity. This has proven to be successful in detection of botnet activity and other forms of cyber crime, but more can be done. In this masters thesis we will leverage the existing work in this field to generate a coherent set of rules to comb through network traffic. We will then expand upon academia's current knowledge set by identifying additional rules that can be used with WHOIS data to better triage information. In the end we expect to be able to detect a more diverse audience of criminal activity to include Advanced Persistent Threats (APT), hacktivists, small-scale criminal activity, as well as your more traditional cyber criminal botnets.

Revealing Previously Unknown Malicious Domains leveraging DNS and WHOIS Data

Supervisor(s): George Webster
Status: finished
Topic: Others
Author: Christian Köpp
Submission: 2014-09-15
Type of Thesis: Masterthesis
Proof of Concept No

Astract:

Maintaining a blacklist of malicious websites and sifting through network traffic to detect nefarious activity is a difficult battle to fight. The rise in use of Domain Generation Algorithms (DGA) and similar techniques has only further hindered that fight by making the usefulness of static lists negligible. As a result security researchers have looked towards leveraging patterns in DNS information to detect malicious activity. This has proven to be successful in detection of botnet activity and other forms of cyber crime, but more can be done. In this masters thesis we will leverage the existing work in this field to generate a coherent set of rules to comb through network traffic. We will then expand upon academia's current knowledge set by identifying additional rules that can be used with WHOIS data to better triage information. In the end we expect to be able to detect a more diverse audience of criminal activity to include Advanced Persistent Threats (APT), hacktivists, small-scale criminal activity, as well as your more traditional cyber criminal botnets.