Recently cyber-criminals have been leveraging the domain name system (DNS) to build agile malicious network infrastructures in support of their criminal activities. For example, botnets and other types of malware typically use DNS to locate their command-and-control (C&C) servers. Another example of such malicious use of DNS is represented by flux networks, which make use of fast-flux domains, i.e., domains whose set of resolved IPs changes abnormally frequently, to support spam campaigns, phishing websites, browser exploits, etc.

In this project, the PIs will develop a suite of open-source tools that use passive and active DNS traffic monitoring to detect and track the evolution in time of malicious domains. In particular, the PIs will develop and publicly release FluxBuster, a system that is able to detect flux networks "in the wild" by passively monitoring DNS traffic collected from many different networks through the ISC Security Information Exchange (ISC/SIE) framework. Along with FluxBuster, the PIs will develop and release DNS monitoring tools that leverage passive and active approaches to detect and track the evolution in time of malware-related (e.g., C&C) domain names.

The PIs plan to deploy the proposed tools and make their results available to the security community. This project can therefore broadly benefit society, in that it produces results that are readily usable by security researchers, network operators, and law enforcement agencies to identify and block malicious domains and combat cyber-criminal activities, thus contributing to making the Internet more secure.

Agency
National Science Foundation (NSF)
Institute
Division of Advanced CyberInfrastructure (ACI)
Type
Standard Grant (Standard)
Application #
1127195
Program Officer
Kevin L. Thompson
Project Start
Project End
Budget Start
2011-09-01
Budget End
2014-08-31
Support Year
Fiscal Year
2011
Total Cost
$379,988
Indirect Cost
Name
University of Georgia
Department
Type
DUNS #
City
Athens
State
GA
Country
United States
Zip Code
30602