Interested in Discussing: My focuses have been Big Data Analytics, Data Correlation, Insider Threat, including intruders already inside the fence, and high-security operating systems and applications.

Interested in Discussing: DNS cluster behavior / DNS security

Interested in Discussing: Spam, Malware and Botnets

Interested in Discussing: everything

Interested in Discussing: Botnet tracking, spam counting, frameworks (legal and operational) for encouraging data sharing

Talk Abstract: At a recent workshop, David Dagon taught a training session where participants learned how to process DNS messages with NMSG. He will discuss lessons learned from such training.

Talk Title: DNS Path Measurement

Talk Abstract: David Dagon will discuss what DNS path measurement is and show measurements of DNS path information from the view of botnets.

Interested in Discussing: Darknet traffic. using passive dns data for research on malware

Talk Abstract: As DNSSEC deployment grows, there is a need to measure how its being deployed and maintained. The data from such analysis will serve to show where improvements can be made in deployment and in the protocol itself to make it more successful as a security feature in the suite of Internet protocols. We discuss in this talk analysis perspectives, such as active and passive monitoring and cache introspection, and how each contributes to qualitative DNS measurement.

Interested in Discussing: Active/passive DNS measurement

Talk Abstract: The SSTable (Sorted String Table) is a data structure used in various "NoSQL" databases: Google BigTable, Google LevelDB, Apache Cassandra, and Apache Hadoop all have their own implementations. This talk will describe ISC's implementation of this algorithm, called "mtbl", and "dnstable", a real world example of an application built on top of mtbl, which powers the ISC DNSDB search engine.

Interested in Discussing: SIE

Interested in Discussing: DNS and SIE data sharing

Interested in Discussing: Datasharing

Interested in Discussing: everything

Interested in Discussing: everything

Talk Abstract: In this work-in-progress talk we will present a proposal to anonymize DNS queries. Our goal is to hide details about the origin and the target of the query, preserving querier privacy while still supporting some kinds of traffic analysis, such as presence of excessive queries.

Interested in Discussing: What are the most pressing problems facing the DNS operations community?

Interested in Discussing: General data sharing models and barriers to effective sharing Tools used to analyze shared data

Interested in Discussing: SIE Data sharing

Interested in Discussing: Fighting phishing using DMARC and beyond DMARC. Gathering metrics via DNS usage.

Talk Abstract: In this talk I will talk about our investigation into the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser.

In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive.

Our results show that many of the most prominent families of malware now propagate through driveby downloads and their activities are supported by a handful of exploit kits. We also, use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys.

Interested in Discussing: Malware, SIE data

Interested in Discussing: Collaboration - sharing out not just consumption...

Interested in Discussing: Advanced threat detection.

Interested in Discussing: Anonymization and multi-resolution data analysis and storage for multi-institution sharing.

Talk Abstract: In this talk we present FluxBuster, a novel passive DNS traffic analysis system for detecting and tracking malicious flux networks. FluxBuster applies large-scale monitoring of DNS traffic traces generated by recursive DNS (RDNS) servers located in hundreds of different networks scattered across several different geographical locations and shared via the ISC/SIE framework. Unlike most previous work, our detection approach is not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists. Instead, FluxBuster is able to detect malicious flux service networks in-the-wild, i.e., as they are "accessed" by users who fall victim of malicious content, independently of how this malicious content was advertised. We performed a long-term evaluation of our system spanning a period of about five months. The experimental results show that FluxBuster is able to accurately detect malicious flux networks with a low false positive rate. Furthermore, we show that in many cases FluxBuster is able to detect malicious flux domains several days or even weeks before they appear in public domain blacklists.

Interested in Discussing: What are the conditions that need to be satisfied so that the results of research tools can be shared with other SIE members, or perhaps even with the rest of the security community? What are the constraints?

Talk Abstract: The exhaustion of the IPv4 address space significantly increases the urgency for transitions to IPv6. Since native IPv6 support is not yet ubiquitous, a major concern of users and services providers (e.g., Facebook, Google, etc.) is that end-to-end performance via IPv6 could be substantially worse than IPv4. In this paper, we develop an analysis method and framework that enables DNS rendezvous information to be matched with flows so that we can compare and contrast performance over both protocols for a variety of Internet services. Our analyses focus on the basic services that are accessed using both protocols, observed client behaviors, and a presentation of performance characteristics of services using both IPv4 and IPv6. Our objective is to detect and expose differences. To demonstrate our method, we present results of an empirical study that considers the issue of Internet services performance over IPv6. Our study uses data collected over the World IPv6 Day (June 8, 2011), including both DNS requests/responses and flow export records for a large number of dual-stack hosts operating at a large research university. Our results expose various performance characteristics of Internet services that support IPv6: (1) Robust measures of services' flow bit rate distributions vary significantly by time of day, numbers of active local clients, and by IP protocol version (6 or 4). (2) These rate characteristics differ amongst services. (3) There are regimes of time in which IPv6 flow bit rates exceed those of IPv4 and others where the IPv4 rates exceed those of IPv6.

Interested in Discussing: privacy concerns w.r.t. IP rendezvous information, such as client DNS query/responses

Interested in Discussing: pDNS and network threat intelligence sharing architectures.

Interested in Discussing: Several - understanding dynamics of network configuration, logical to physical mapping

Interested in Discussing: Novel uses for the SIE data. If there have been any changes to the sensor network (e.g. new sensors) Integrating domain WHOIS data, especially registrar data, into DNS analyses.

Talk Abstract: This talk will present SiLK, a network flow collection and analysis system developed by CERT/CC at Carnegie Mellon University. It will cover the individual components of the system as well as the overall system architecture and design tradeoffs. It will also address how the system has evolved over time as well as outline current plans to incorporate DNS and other types of network data.

Interested in Discussing: DNS indicators of malicious campaigns

Talk Abstract: DNS zone files can be a great asset in security and networking research, yet they are available only for gTLDs, such as .com and .net, leaving out ccTLDs, such as .uk and .ru. Our collaborative project with CAIDA aims to leverage passive DNS queries from SIE and other data sources to rebuild zone files for all TDLs. I will describe the design challenges in implementing a practical system that accomplishes this goal. I will also discuss preliminary results on what percentage of zone files can be successfully reconstructed using this data.

Interested in Discussing: Passive DNS

Talk Abstract: ISC SIE has been in operation since 2008, and has enabled several well known successful applications including DNSDB. What's still needed, in terms of sensor outreach and channel development? What other applications can we imagine, now that the idea of shared real time analysis of distributed telemetry isn't controversial any more? Vixie will throw out some ideas to jump start some brain storming.

Interested in Discussing: good science requires repeatability which means long cycle times. good engineering, at least in the security world, requires agility which means short cycle times. how will we prepare future technologists if using batch methods in a real-time world is at its "hey you kids get offa my lawn!" moment?

Interested in Discussing: Reducing barriers to sharing operational security and network data with researchers and more broadly.

Talk Abstract: Eric Ziegast will provide a tutorial and internals discussion about how ISC SIE is operated in a manner that will help future operators understand how to run their own security data redistribution network or operate a public security information exchange. Topics will include switch operation, automated data submission, data relay, data processing, policy, and business aspects.

Interested in Discussing: I'd like to have a data flea market session (about an hour?) where we go around and put together what data people are looking for and what data people have available. I've done it before and it was quite interesting for attendees. If I prepare a questionnaire available before the event, it'll help people think and prepare.