Speaker: Stefano Schiavoni (Politenico di Milano, Italy)
Stefano received a B.Sc. and M.Sc. "summa cum laude" in Computer Engineering from Politecnico di Milano (TU Milan) in Italy. His research focused on computer security and machine learning. In particular, he tackled the problem of botnets employing domain-flux. Stefano also received a M.Sc. in Computer Science from the University of Illinois at Chicago. Since May 2013, Stefano is working as a Software Engineer at Google in London, UK.
Title: Tracking and Characterizing Botnets Using Automatically Generated Domains
Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures that are difficult to track or deactivate. Considerable attention has been given to recognizing automatically generated domains (AGDs) from DNS traffic, in order to identify previously unknown AGDs, which helps in the task of disrupting botnets' communication capabilities.
Unfortunately, until now such approaches would require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. Instead, we propose a system that exploits publicly available and privacy-preserving databases of historical recursive-level DNS traffic. Analyzing such data through linguistic-based models of suspicious domains, we are able to identify automatically generated domain names, characterize their DGAs, isolate logical groups of domains that represent the respective botnets, enrich those groups with new previously unknown automatically generated domain names, and produce novel knowledge about the evolving behavior of each tracked botnet.
We evaluated our approach on millions of real-world domains, and showed that it correctly isolates families of automatically generated domains that belong to distinct DGAs, and distinguishes automatically generated from non-automatically generated domains in 94.8 percent of the cases. We will show several case studies of our system at work.