SDCI Sec: Passive and Active DNS Monitoring Tools for Detecting and Tracking the Evolution of Malicious Domain Names

SDCI Sec：用于检测和跟踪恶意域名演变的被动和主动 DNS 监控工具

• 批准号: 1127195
• 负责人: Roberto Perdisci
• 金额: $ 38万
• 依托单位: University of Georgia Research Foundation Inc
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1127195&HistoricalAwards=false
• 关键词: SDCI; Sec; Passive; Active; DNS

Recently cyber-criminals have been leveraging the domain name system (DNS) to build agile malicious network infrastructures in support of their criminal activities. For example, botnets and other types of malware typically use DNS to locate their command-and-control (C&C) servers. Another example of such malicious use of DNS is represented by flux networks, which make use of fast-flux domains, i.e., domains whose set of resolved IPs changes abnormally frequently, to support spam campaigns, phishing websites, browser exploits, etc.In this project, the PIs will develop a suite of open-source tools that use passive and active DNS traffic monitoring to detect and track the evolution in time of malicious domains. In particular, the PIs will develop and publicly release FluxBuster, a system that is able to detect flux networks "in the wild" by passively monitoring DNS traffic collected from many different networks through the ISC Security Information Exchange (ISC/SIE) framework. Along with FluxBuster, the PIs will develop and release DNS monitoring tools that leverage passive and active approaches to detect and track the evolution in time of malware-related (e.g., C&C) domain names.The PIs plan to deploy the proposed tools and make their results available to the security community. This project can therefore broadly benefit society, in that it produces results that are readily usable by security researchers, network operators, and law enforcement agencies to identify and block malicious domains and combat cyber-criminal activities, thus contributing to making the Internet more secure.

最近，网络犯罪分子一直在利用域名系统(DNS)建立灵活的恶意网络基础设施，以支持他们的犯罪活动。例如，僵尸网络和其他类型的恶意软件通常使用DNS来定位它们的命令与控制(C&amp；C)服务器。这种恶意使用DNS的另一个例子是通量网络，它利用快速通量域，即其解析的IP集异常频繁地变化的域，来支持垃圾邮件活动、网络钓鱼网站、浏览器利用等。在这个项目中，PI将开发一套开源工具，使用被动和主动的DNS流量监控来检测和跟踪恶意域的演变。特别是，PIS将开发并公开发布FlosBuster，这是一个能够通过ISC安全信息交换(ISC/SIE)框架被动监控从许多不同网络收集的DNS流量来检测流量网络的系统。与FlosBuster一起，PI将开发和发布利用被动和主动方法来检测和跟踪与恶意软件相关(例如，C&amp；C)域名的时间演变的DNS监控工具。PI计划部署建议的工具，并将其结果提供给安全社区。因此，该项目可以广泛造福社会，因为它产生的结果可供安全研究人员、网络运营商和执法机构随时使用，以识别和阻止恶意域并打击网络犯罪活动，从而有助于使互联网更安全。