Attacks on computer networks are an all too familiar event, leaving operators with little choice but to deploy a myriad of monitoring devices to ensure dependable and stable service on the networks they operate. However, as networks grow bigger and faster, staying ahead of the constant deluge of attack traffic is becoming increasingly difficult. A case in point is the attacks on enterprise name servers that interact with the Domain Name System (DNS). These name servers are critical infrastructure, busily translating human readable domain names to IP addresses. DNS is a hotbed of malicious activity, and when properly monitored, it can offer invaluable information about network attacks and malicious activity.

This project furthers our collective understanding of the growing abuse of enterprise name servers whereby infected clients (bots) use automated domain-name generation algorithms to bypass network defenses. More specifically, a framework for accurately identifying bots upon seeing only a handful of unique lookups is developed based on sequential hypothesis testing. The integration of NetFlow records, with novel their indexing data-structures, delivers even deeper insight into aberrant traffic. A live deployment of the system demonstrates the utility of this approach and provides the opportunity for interactively querying the recorded forensic information.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Type
Standard Grant (Standard)
Application #
1421703
Program Officer
Kevin Thompson
Project Start
Project End
Budget Start
2014-09-01
Budget End
2017-08-31
Support Year
Fiscal Year
2014
Total Cost
$492,000
Indirect Cost
Name
University of North Carolina Chapel Hill
Department
Type
DUNS #
City
Chapel Hill
State
NC
Country
United States
Zip Code
27599