As of August the 30th I may call myself a Master of Science (MSc.). At that date I have successfully defended my thesis titled “Combating Snowshoe Spam with Fire”. People have often asked if ‘Fire’ is some kind of an acronym, it ain’t 😉
In the thesis we detail how DNS configurations may be used to track down snowshoe spam domains. Snowshoe spam spreads out the sending over a great number of hosts to reduce the volume per host, making the individual hosts harder to detect and blacklist.
The third publication for the TIDE project. Details more formally the research questions of this project.
The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS do- main to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, but this leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying ma- licious domains before they are used allows to pre-emptively stop an attack before it happens. We aim to accomplish this goal by analysing active DNS measurements. Via the analysis of active DNS measurements there is a window of opportunity between the registration time and the time of an attack, to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Since our results are predictive in nature, methodology for validation of our results need to be developed. Because, at the time of the detection no ground truth is (yet) available.
The second publication for the TIDE project. It has received the Best Paper Award at NOMS 2018.
Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.
TIDE was present at the Network Operations and Management Symposium (NOMS 2018) conference in Taipei, Taiwan. Olivier was there to present “Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements”.
NOMS 2018 was held in Taipei, Taiwan, from the 23rd till the 27th of April. NOMS has been held in every even-numbered year since 1988. This was the 30th anniversary of NOMS.
Our work was very well received at the conference. So well, in fact, that they gave us the the Best Paper Award!
For the last couple of weeks I have been developing a Virtual Reality Browser. In true Linux fashion, I was not satisfied with the VR Browsers available in the Google Play Store, so I developed my own. Yes, I know, to really adhere to the fashion I should fork an existing one…
It is, has been, an interesting experience. This is mainly due to me not having any experience in Android app development, at all. Having no OpenGL experience did not really help either.
