{"126711":{"#nid":"126711","#data":{"type":"event","title":"Ph.D. Defense of Dissertation:  Manos Antonakakis","body":[{"value":"\u003Cp\u003EPh.D. Thesis Defense Announcement\u003Cbr \/\u003E\u003Cbr \/\u003ETitle: \u003Cstrong\u003EImproving Internet Security via Large-Scale Passive and Active DNS Monitoring\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cbr \/\u003EManos Antonakakis\u003Cbr \/\u003ESchool of Computer Science\u003Cbr \/\u003ECollege of Computing\u003Cbr \/\u003EGeorgia Tech\u003Cbr \/\u003E\u003Ca href=\u0022mailto:manos@cc.gatech.edu\u0022\u003Emanos@cc.gatech.edu\u003C\/a\u003E\u003Cbr \/\u003E\u003Cbr \/\u003EDate: Thursday, May 17, 2012\u003Cbr \/\u003ETime: 12:00pm - 3:00pm EDT\u003Cbr \/\u003ELocation: KACB 3126 (\u0022GTISC War Room\u0022)\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cstrong\u003ECommittee:\u003C\/strong\u003E\u003C\/p\u003E\u003Cul\u003E\u003Cli\u003EDr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology)\u003C\/li\u003E\u003Cli\u003EDr. Mustaque Ahamad (School of Computer Science, Georgia Institute ofTechnology)\u003C\/li\u003E\u003C\/ul\u003E\u003Cul\u003E\u003Cli\u003EDr. Nick Feamster (School of Computer Science, Georgia Institute of Technology)\u003C\/li\u003E\u003Cli\u003EDr. Patrick Gerard Traynor (School of Computer Science, Georgia Institute of Technology)\u003C\/li\u003E\u003Cli\u003EDr. Fabian Monrose (Department of Computer Science, University of North Carolina at Chapel Hill)\u003C\/li\u003E\u003C\/ul\u003E\u003Cp\u003E\u003Cbr \/\u003E\u003Cstrong\u003EAbstract:\u003C\/strong\u003E\u003Cbr \/\u003EThe Domain Name System (DNS) is a critical component of the Internet. DNS provides the ability to map human-readable and memorable domain names to machine-level IP addresses and other records. These mappings lie at the heart of the Internet\u0027s success and are essential for the majority of core Internet applications and protocols.\u003Cbr \/\u003E\u003Cbr \/\u003EThe critical nature of DNS means that it is often the target of abuse. Cyber-criminals rely heavily upon the reliability and scalability of the DNS protocol to serve as an agile platform for their illicit operations. For example, modern malware and Internet fraud techniques rely upon DNS to locate their remote command-and- control (C\u0026amp;C) servers through which new commands from the attacker are issued, serve as exfiltration points for information stolen from the victims\u0027 computers, and to manage subsequent updates to their malicious toolset.\u003Cbr \/\u003E\u003Cbr \/\u003EThe research described in this thesis scientifically addresses problems in the area of DNS-based detection of illicit operations. In detail, this research studies new methods to quantify and track dynamically changing reputations for DNS based on passive network measurements. The research also investigates methods for the creation of early warning systems for DNS. These early warning systems enables the research community to identify emerging threats (e.g., new botnets and malware infections) across the DNS hierarchy in a timelier manner.\u003Cbr \/\u003E\u003Cbr \/\u003EThis dissertation makes the following contributions. Contribution in Dynamic Reputation Systems for DNS: To address the limitation of static domain name blacklists we developed Notos[1], a dynamic reputation system for DNS. Notos uses passive DNS evidence from recursive DNS servers to distinguish between benign and malicious domain names using historical learning techniques. Notos allows us to statistically correlate the two planes in DNS: the name space and the address space. The primary goal of Notos is to automatically assign a low reputation score to a domain that is involved in malicious activities, such as malware C\u0026amp;C, \u0022phishing\u0022, and spam campaigns. Conversely, we want to assign a high reputation score to domains that are used for legitimate purposes.\u003Cbr \/\u003E\u003Cbr \/\u003EContribution towards DNS-based Malware Detection at the DNS Authority Level: The first component of the early warning system we developed is named Kopis[2]. Kopis operates in the upper layers of the DNS hierarchy and is capable of detecting malware-related domain names \u0022on-the-rise\u0022. This early warning system can be independently deployed and operated by the top-level domain (TLD) and authoritative DNS (ANS) operators. The system enables TLD and ANS operators to detect malware-related domains from within their authority zones without the need for data from other networks or other inter-organizational coordination. The detection of such malware related domain names typically comes days or even weeks before the domains appear in public blacklists.\u003Cbr \/\u003E\u003Cbr \/\u003EContribution towards DNS-based Malware Detection at the DNS Recursive Level: Pleiades[3] is the second component of our early warning system against rising malware threats. In particular Pleiades is able to detect the rise of Domain Name Generation (DGA) based botnets in a local network by statistical modeling of the unsuccessful DNS resolutions at the recursive DNS level of the monitored network. Pleiades is able to learn models from traffic generated by already known DGA-based malware and to detect active infections in the monitored networks.\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cbr \/\u003E[1] Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N., \u0022Building a Dynamic Reputation System for DNS,\u0022 in the Proceedings of 19th USENIX Security Symposium (USENIX Security \u002710), 2010.\u003Cbr \/\u003E\u003Cbr \/\u003E[2] Antonakakis, M., Perdisci, R., Lee, W., Dagon, D., and Vasiloglou, N., \u0022Detecting Malware Domains at the Upper DNS Hierarchy,\u0022 in the Proceedings of 20th USENIX Security Symposium (USENIX Security \u002711), 2011.\u003Cbr \/\u003E\u003Cbr \/\u003E[3] Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D., \u0022From Throw-Away Traffic to\u003Cbr \/\u003EBots: Detecting the Rise of DGA-Based Malware,\u0022 to appear in the Proceedings of 21th USENIX Security Symposium (USENIX Security \u002712), 2012.\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"Improving Internet Security via Large-Scale Passive and Active DNS Monitoring"}],"uid":"1","created_gmt":"2012-04-27 09:28:36","changed_gmt":"2016-10-08 01:58:49","author":"Jupiter","boilerplate_text":"","field_publication":"","field_article_url":"","field_event_time":{"event_time_start":"2012-05-17T13:00:00-04:00","event_time_end":"2012-05-17T16:00:00-04:00","event_time_end_last":"2012-05-17T16:00:00-04:00","gmt_time_start":"2012-05-17 17:00:00","gmt_time_end":"2012-05-17 20:00:00","gmt_time_end_last":"2012-05-17 20:00:00","rrule":null,"timezone":"America\/New_York"},"extras":[],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[],"core_research_areas":[],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Ca href=\u0022mailto:manos@cc.gatech.edu\u0022\u003EManos Antonakakis\u003C\/a\u003E\u003C\/p\u003E","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}