SaTC: CORE: Medium: Large-Scale Characterization of DNS Abuse

SaTC：核心：中：DNS 滥用的大规模特征

• 批准号: 1705050
• 负责人: Stefan Savage
• 金额: $ 120万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-07-15 至 2021-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1705050&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Large; Scale

The domain name system (DNS) is one of the most critical pieces of Internet infrastructure in use today. It underlies how we name nearly all Internet resources, such as "nsf.gov", and its correct operation is implicitly assumed both by end users and in the design of many important applications such as email and the World Wide Web. Unfortunately, DNS is also abused in a wide variety of ways to support criminal activities such as spam, phishing, fraud, and host compromise. The goal of this research is to develop infrastructure for the comprehensive and frequent auditing of the domain name system as a basis for discovering and understanding the impact of abuse and attacks on the health of the DNS and the Internet as a whole, and how changes in the domain name system facilitate new kinds of abuse and attacks. Given the indiscriminate nature of Internet abuse, ensuring the vitality of the DNS ecosystem can positively benefit virtually all Internet users. The project itself will also create educational opportunities for students at a variety of levels, expanding the research skills of postdoc, graduate, and undergraduate students.This research will perform large-scale measurement of many sources of data which, when combined, will provide a global perspective on the health of the DNS, and develop analysis techniques for scalably identifying and characterizing the nature of DNS abuse. We will comprehensively survey DNS to capture the bindings of all key records. We will crawl registered domains in all top-level domains for which we can obtain data, and regularly repeat this survey over time to look for changes. We will scan resources linked to domains, including Web sites, mail servers, login and application servers, any certificates that they provide, linked registration records, results of search engine queries and contemporaneous data from both a range of threat intelligence and passive DNS feeds. We will perform such measurements from a variety of geographically diverse IP addresses to capture differences due to national DNS infrastructure and cache poisoning attacks. We will build tools to process this considerable amount of data to efficiently identify changes in DNS mapping state and characterize abusive behavior. Finally, we will produce an overall analysis of DNS abuse Internet-wide, as revealed by our measurements, in which we capture the prevalence of different kinds of abuse, and what the abusers are using it for.

域名系统（DNS）是当今使用的互联网基础设施中最关键的部分之一。 它是我们如何命名几乎所有互联网资源的基础，例如“nsf.gov“，其正确操作被最终用户和许多重要应用程序（如电子邮件和万维网）的设计隐含地假定。不幸的是，DNS也以各种方式被滥用，以支持垃圾邮件、网络钓鱼、欺诈和主机入侵等犯罪活动。 本研究的目标是开发对域名系统进行全面和频繁审计的基础设施，作为发现和了解滥用和攻击对DNS和整个互联网健康状况的影响以及域名系统的变化如何促进新类型滥用和攻击的基础。 鉴于互联网滥用的不分青红皂白的性质，确保DNS生态系统的活力可以使几乎所有互联网用户受益。 该项目本身也将为不同层次的学生创造教育机会，扩展博士后、研究生和本科生的研究技能。该研究将对多种数据源进行大规模测量，当这些数据结合在一起时，将提供DNS健康状况的全球视角，并开发分析技术，以可扩展地识别和表征DNS滥用的性质。 我们将全面调查DNS以捕获所有关键记录的绑定。我们将抓取所有顶级域名中的注册域名，我们可以获得这些域名的数据，并随着时间的推移定期重复这项调查，以寻找变化。 我们将扫描链接到域的资源，包括网站、邮件服务器、登录和应用程序服务器、它们提供的任何证书、链接的注册记录、搜索引擎查询结果以及来自一系列威胁情报和被动DNS源的同期数据。 我们将从各种地理位置不同的IP地址执行此类测量，以捕获由于国家DNS基础设施和缓存中毒攻击而导致的差异。 我们将构建工具来处理大量数据，以有效地识别DNS映射状态的变化并描述滥用行为。 最后，我们将对整个互联网范围内的DNS滥用进行全面分析，正如我们的测量所揭示的那样，我们在其中捕获了不同类型滥用的流行程度以及滥用者使用它的目的。

项目成果

Reading the Tea leaves: A Comparative Analysis of Threat Intelligence

• 发表时间: 2019
• 期刊: 2020 IEEE International Conference on Big Data (Big Data)
• 作者: Vector Guo Li;M. Dunn;P. Pearce;Damon McCoy;G. Voelker;S. Savage

Characterization of Anycast Adoption in the DNS Authoritative Infrastructure

DNS 权威基础设施中选播采用的特征

• 发表时间: 2021
• 期刊: Network Traffic Measurement and Analysis Conference (TMA'21
• 作者: Sommese, Raffaele;Akiwate, Gautam;Jonker, Mattijs;Moura, Giovane C.;Davids, Marco;Rijswijk-Deij, Roland van;Voelker, Geoffrey M.;Savage, Stefan;Claffy, kc;Sperotto, Anna
• 通讯作者: Sperotto, Anna

Detecting and Characterizing Lateral Phishing at Scale

• 发表时间: 2019-10
• 作者: Grant Ho;Asaf Cidon;Lior Gavish;M. Schweighauser;V. Paxson;S. Savage;G. Voelker;D. Wagner

Hack for Hire: Exploring the Emerging Market for Account Hijacking

• DOI: 10.1145/3308558.3313489
• 发表时间: 2019-05
• 期刊: The World Wide Web Conference
• 作者: A. Mirian;Joe DeBlasio;S. Savage;G. Voelker;Kurt Thomas

Hopper: Modeling and Detecting Lateral Movement

料斗：建模和检测横向运动

• 发表时间: 2021
• 期刊: USENIX Security Symposium
• 作者: Ho, Grant;Dhiman, Mayank;Akhawe, Devdatta;Paxson, Vern;Savage, Stefan;Voelker, Geoffrey M.;Wagner, David
• 通讯作者: Wagner, David