Stefano Zanero & Stefano Schiavoni (Politecnico di Milano)

PRESENTATION TITLE: Tracking and Characterizing Botnets Using Automatically Generated Domains

PRESENTATION ABSTRACT:

Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures that are difficult to track or deactivate. Considerable attention has been given to recognizing automatically generated domains (AGDs) from DNS traffic, in order to identify previously unknown AGDs, which helps in the task of
disrupting botnets’ communication capabilities.

Unfortunately, until now such approaches would require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. Instead, we propose a system that exploits publicly available and privacy-preserving databases of historical recursive-level DNS traffic. Analyzing such data through linguistic-based models of suspicious domains, we are able to identify automatically generated domain names, characterize their DGAs, isolate logical groups of domains that represent the respective botnets, enrich those groups with new previously unknown automatically generated domain names, and produce novel knowledge about the evolving behavior of each tracked botnet.

We evaluated our approach on millions of real-world domains, and showed that it correctly isolates families of automatically generated domains that belong to distinct DGAs, and distinguishes automatically generated from non-automatically generated domains in 94.8 percent of the cases. We will show several case studies of our system at work.

This is the result of a joint project between Politecnico di Milano and Royal Holloway University of London, with the help of Dr. Lorenzo Cavallaro and Dr. Federico Maggi

ABOUT STEFANO ZANERO

Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an assistant professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on intrusion detection, malware analysis, and systems security. Besides teaching “Computer Security” at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 40 scientific papers and books. He is an associate editor for the “Journal in computer virology”. He’s a Senior Member of the IEEE (covering volunteer positions at national and regional level), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association), of which he is a senior member. He sits in the International Board of Directors of the same association. A long time op-ed writer for magazines (among which “Computer World”), Stefano is also a co-founder and chairman of Secure Network S.r.l., a leading Italian information security consulting firm.

ABOUT STEFANO SCHIAVONI

Stefano received a B.Sc. and M.Sc. “summa cum laude” in Computer Engineering from Politecnico di Milano university in Italy. His research focused on computer security and machine learning. In particular, he tackled the problem of botnets employing domain-flux. Stefano also received a M.Sc. in Computer Science from the University of Illinois at Chicago. Since May 2013, Stefano is working as a Software Engineer at Google in London, UK.