Skip to main content

Discovering Malicious Domains through Passive DNS Data Graph Analysis

Dr. Issa Khalil,  principal scientist in the Cyber Security group at the Qatar Computing Research Institute (QCRI)

04-Mai-2018, 11.00 to 12:00

Location:  DIMA, TU Berlin, E-N 719

Abstract:

Discovering Malicious Domains through Passive DNS Data Graph Analysis

Despite many efforts, the number of malicious domains, breeding grounds for many devastating security attacks, is on the rise. This project aims to discover many undiscovered malicious domains much ahead of them being used to launch actual attacks, so that such attacks may be nipped in the bud. In particular, we develop techniques to extract meaningful associations among malicious domains through the analysis of DNS data. Unlike traditional research efforts that focus on local features, we propose to discover and analyze global associations among domains. The key challenges are (1) to build meaningful associations among domains; and (2) to use these associations to reason about the potential maliciousness of domains. For the first challenge, we take advantage of the modus operandi of attackers. To avoid detection, malicious domains exhibit dynamic behavior by, for example, frequently changing the malicious domain-IP resolutions and creating new domains. This makes it very likely for attackers to reuse resources leading to intrinsic association among domains. For the second challenge, we develop graph-based inference techniques over associated domains. Our approach is based on the intuition that a domain having strong associations with known malicious domains is likely to be malicious. Carefully established associations enable the discovery of a large set of new malicious domains using a very small set of previously known malicious ones. Although our initial focus is on detecting malicious domains, we plan to explore new ways to detect other malicious vectors such as IPs, end hosts, users, mobile applications, and malicious files.

Short Bio:

Issa Khalilreceived PhD degree in Computer Engineering from Purdue University, USA in 2007. Immediately thereafter he joined the College of Information Technology (CIT) of the United Arab Emirates University (UAEU) where he served as an associate professor and department head of the Information Security Department. In 2013, Khalil joined the Cyber Security Group in the Qatar Computing Research Institute (QCRI), a member of Qatar Foundation, as a Senior Scientist, and a Principal Scientist since 2016. Khalil’s research interests span the areas of wireless and wireline network security and privacy. He is especially interested in security data analytics, network security, and private data sharing. His novel technique to discover malicious domains following the guilt-by-association social principle attracts the attention of local media and stakeholders, and received the best paper award in CODASPY 2018. Dr. Khalil served as organizer, technical program committee member and reviewer for many international conferences and journals. He is a senior member of IEEE and member of ACM and delivers invited talks and keynotes in many local and international forums. In June 2011, Khalil was granted the CIT outstanding professor award for outstanding performance in research, teaching, and service.