Recently cyber-criminals have been leveraging the domain name system (DNS) to build agile malicious network infrastructures in support of their criminal activities. For example, botnets and other types of malware typically use DNS to locate their command-and-control (C&C) servers. Another example of such malicious use of DNS is represented by flux networks, which make use of fast-flux domains, i.e., domains whose set of resolved IPs changes abnormally frequently, to support spam campaigns, phishing websites, browser exploits, etc.
In this project, the PIs will develop a suite of open-source tools that use passive and active DNS traffic monitoring to detect and track the evolution in time of malicious domains. In particular, the PIs will develop and publicly release FluxBuster, a system that is able to detect flux networks "in the wild" by passively monitoring DNS traffic collected from many different networks through the ISC Security Information Exchange (ISC/SIE) framework. Along with FluxBuster, the PIs will develop and release DNS monitoring tools that leverage passive and active approaches to detect and track the evolution in time of malware-related (e.g., C&C) domain names.
The PIs plan to deploy the proposed tools and make their results available to the security community. This project can therefore broadly benefit society, in that it produces results that are readily usable by security researchers, network operators, and law enforcement agencies to identify and block malicious domains and combat cyber-criminal activities, thus contributing to making the Internet more secure.