[Colloq] Robert Perdisci Talk: Friday November 2nd at 2:00pm 366 WVH

[Bekerian, Nicole]

The College of Computer and Information Science presents:

Robert Perdisci


Title: Discovery and Classification of DGA-based Malware
Date and Time: Friday November 2nd at 2:00pm
Location: 366 WVH


Abstract:

Lightweight network-based malware detection systems are often based on static domain name blacklists. Because such systems have seen a good level of success in the recent past, malware authors have begun employing domain generation algorithms (DGAs) to dynamically produce large numbers of pseudo-random command and control (C&C) domains, of which only a small subset is actually registered and successfully resolves to the current C&C servers. Furthermore, these pseudo-random C&C domains are active for only short periods of time, thus rendering detection approaches that rely on static domain blacklists ineffective.

Clearly, if we knew how a DGA works we could generate all domains ahead of time and still identify and block the malware C&C traffic. However, this usually requires reverse engineering the malware executables, which is not always feasible.



This talk presents a novel system capable of detecting pseudo-random domains generated by DGA-based malware without reversing. A key observation is that most DGA-generated domains that a malware queries are not actually registered and would therefore result in non-existent domains (NXDs). Our approach uses a combination of clustering and classification algorithms. The clustering algorithm groups NXDs based on the similarity in how the domain name strings as well as similarities in the groups of machines that queried them. This allows us to discover sets of NXDs generated by previously unknown DGA-based malware. The classification algorithm is used to assign the NXDs to models of previously identified DGAs, and to enable the detection of active DGA-generated C&C domains. We have implemented a prototype system and evaluated it on real-world DNS traffic obtained from large ISPs hosting millions of machines. Over a period of about fifteen months, our system was able to discover several previously unknown DGA-based malware and allowed us to detect and classify DGA-generated C&C domains with high accuracy.





Bio:

Roberto Perdisci is an Assistant Professor in the Computer Science department at the University of Georgia, an Adjunct Assistant Professor in the Georgia Tech School of Computer Science, and a faculty member of the UGA Institute for Artificial Intelligence. Before joining UGA he was Post-Doctoral Fellow at the College of Computing of the Georgia Institute of Technology, and Principal Scientist at Damballa, Inc., a network security company based in Atlanta, GA.



His research interests are in Computer and Network Security, and in Machine Learning/Data Mining techniques for efficient analysis and modeling of large datasets. In particular, he is currently focusing on modeling and detecting Botnets based on their network behavior.

Host: Engin Kirda

Best,
Nicole


Nicole Bekerian
Administrative Coordinator

Northeastern University
College of Computer and Information Science
360 Huntington Ave.
202 West Village H
Boston, MA  02115

Phone: 617.373.2462
Fax: 617.373.5121