ISC/CAIDA Data Collaboration Workshop : Talk Abstracts
|David Muran-de Assereto (SRC, Inc.)||
Interested in Discussing: My focuses have been Big Data Analytics, Data Correlation, Insider Threat, including intruders already inside the fence, and high-security operating systems and applications.
|Robert Beverly (Naval Postgraduate School)||
Interested in Discussing: DNS cluster behavior / DNS security
|Chris Camacho (The World Bank)||
Interested in Discussing: Spam, Malware and Botnets
|Denise Clampitt (Internal Revenue Service)||
Interested in Discussing: everything
|Richard Clayton (University of Cambridge)||
Interested in Discussing: Botnet tracking, spam counting, frameworks (legal and operational) for encouraging data sharing
|David Dagon (Georgia Institute of Technology)||Talk Title: Teaching NMSG - lessons learned from a tutorial
Talk Abstract: At a recent workshop, David Dagon taught a training session where participants learned how to process DNS messages with NMSG. He will discuss lessons learned from such training.
Talk Title: DNS Path Measurement
Talk Abstract: David Dagon will discuss what DNS path measurement is and show measurements of DNS path information from the view of botnets.
|Alberto Dainotti (CAIDA)||
Interested in Discussing: Darknet traffic. using passive dns data for research on malware
|Casey Deccio (Sandia National Laboratories)||Talk Title: Qualitative DNS Measurement Perspectives
Talk Abstract: As DNSSEC deployment grows, there is a need to measure how its being deployed and maintained. The data from such analysis will serve to show where improvements can be made in deployment and in the protocol itself to make it more successful as a security feature in the suite of Internet protocols. We discuss in this talk analysis perspectives, such as active and passive monitoring and cache introspection, and how each contributes to qualitative DNS measurement.
Interested in Discussing: Active/passive DNS measurement
|Robert Edmonds (Internet Systems Consortium, Inc.)||Talk Title: Sorted String Tables: ISC mtbl and ISC dnstable
Talk Abstract: The SSTable (Sorted String Table) is a data structure used in various "NoSQL" databases: Google BigTable, Google LevelDB, Apache Cassandra, and Apache Hadoop all have their own implementations. This talk will describe ISC's implementation of this algorithm, called "mtbl", and "dnstable", a real world example of an application built on top of mtbl, which powers the ISC DNSDB search engine.
Interested in Discussing: SIE
|Marina Fomenkov (CAIDA/UCSD)||
Interested in Discussing: DNS and SIE data sharing
|Simon Forster (Spamhaus Research Corp)||
Interested in Discussing: Datasharing
|Andrew Fried (Deteque LLC)||
Interested in Discussing: everything
|Laura Fried (Internal Revenue Service)||
Interested in Discussing: everything
|John Heidemann (USC/Information Sciences Institute)||Talk Title: Anynoymizing DNS Traffic
Talk Abstract: In this work-in-progress talk we will present a proposal to anonymize DNS queries. Our goal is to hide details about the origin and the target of the query, preserving querier privacy while still supporting some kinds of traffic analysis, such as presence of excessive queries.
Interested in Discussing: What are the most pressing problems facing the DNS operations community?
|Merike Kaeo (Double Shot Security)||
Interested in Discussing: General data sharing models and barriers to effective sharing Tools used to analyze shared data
|Jason Lewis (Lookingglass Cyber Solutions, Inc.)||
Interested in Discussing: SIE Data sharing
|Franck Martin (Linkedin)||
Interested in Discussing: Fighting phishing using DMARC and beyond DMARC. Gathering metrics via DNS usage.
|Damon McCoy (George Mason University)||Talk Title: Manufacturing Compromise: The Emergence of Exploit-as-a-Service
Talk Abstract: In this talk I will talk about our investigation into the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser.
In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive.
Our results show that many of the most prominent families of malware now propagate through driveby downloads and their activities are supported by a handful of exploit kits. We also, use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys.
Interested in Discussing: Malware, SIE data
|Bill McInnis (IID)||
Interested in Discussing: Collaboration - sharing out not just consumption...
|Greg Metzler (SRC, inc)||
Interested in Discussing: Advanced threat detection.
|Christos Papadopoulos (Colorado State University)||
Interested in Discussing: Anonymization and multi-resolution data analysis and storage for multi-institution sharing.
|Roberto Perdisci (University of Georgia)||Talk Title: Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis
Talk Abstract: In this talk we present FluxBuster, a novel passive DNS traffic analysis system for detecting and tracking malicious flux networks. FluxBuster applies large-scale monitoring of DNS traffic traces generated by recursive DNS (RDNS) servers located in hundreds of different networks scattered across several different geographical locations and shared via the ISC/SIE framework. Unlike most previous work, our detection approach is not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists. Instead, FluxBuster is able to detect malicious flux service networks in-the-wild, i.e., as they are "accessed" by users who fall victim of malicious content, independently of how this malicious content was advertised. We performed a long-term evaluation of our system spanning a period of about five months. The experimental results show that FluxBuster is able to accurately detect malicious flux networks with a low false positive rate. Furthermore, we show that in many cases FluxBuster is able to detect malicious flux domains several days or even weeks before they appear in public domain blacklists.
Interested in Discussing: What are the conditions that need to be satisfied so that the results of research tools can be shared with other SIE members, or perhaps even with the rest of the security community? What are the constraints?
|David Plonka (University of Wisconsin-Madison)||Talk Title: Assessing Internet Services over IPv6
Talk Abstract: The exhaustion of the IPv4 address space significantly increases the urgency for transitions to IPv6. Since native IPv6 support is not yet ubiquitous, a major concern of users and services providers (e.g., Facebook, Google, etc.) is that end-to-end performance via IPv6 could be substantially worse than IPv4. In this paper, we develop an analysis method and framework that enables DNS rendezvous information to be matched with flows so that we can compare and contrast performance over both protocols for a variety of Internet services. Our analyses focus on the basic services that are accessed using both protocols, observed client behaviors, and a presentation of performance characteristics of services using both IPv4 and IPv6. Our objective is to detect and expose differences. To demonstrate our method, we present results of an empirical study that considers the issue of Internet services performance over IPv6. Our study uses data collected over the World IPv6 Day (June 8, 2011), including both DNS requests/responses and flow export records for a large number of dual-stack hosts operating at a large research university. Our results expose various performance characteristics of Internet services that support IPv6: (1) Robust measures of services' flow bit rate distributions vary significantly by time of day, numbers of active local clients, and by IP protocol version (6 or 4). (2) These rate characteristics differ amongst services. (3) There are regimes of time in which IPv6 flow bit rates exceed those of IPv4 and others where the IPv4 rates exceed those of IPv6.
Interested in Discussing: privacy concerns w.r.t. IP rendezvous information, such as client DNS query/responses
|Brian Ray (Lookingglass Cyber Solutions)||
Interested in Discussing: pDNS and network threat intelligence sharing architectures.
|William Semancik (National Security Agency)||
Interested in Discussing: Several - understanding dynamics of network configuration, logical to physical mapping
|Jonathan Spring (CERT/CC -- Carnegie Mellon)||
Interested in Discussing: Novel uses for the SIE data. If there have been any changes to the sensor network (e.g. new sensors) Integrating domain WHOIS data, especially registrar data, into DNS analyses.
|Ed Stoner (Carnegie Mellon / SEI / CERT)||Talk Title: Network Threat Detection and Event Correlation
Talk Abstract: This talk will present SiLK, a network flow collection and analysis system developed by CERT/CC at Carnegie Mellon University. It will cover the individual components of the system as well as the overall system architecture and design tradeoffs. It will also address how the system has evolved over time as well as outline current plans to incorporate DNS and other types of network data.
Interested in Discussing: DNS indicators of malicious campaigns
|John-Paul Verkamp (Indiana University)||Talk Title: Rebuilding zone files from passive DNS data
Talk Abstract: DNS zone files can be a great asset in security and networking research, yet they are available only for gTLDs, such as .com and .net, leaving out ccTLDs, such as .uk and .ru. Our collaborative project with CAIDA aims to leverage passive DNS queries from SIE and other data sources to rebuild zone files for all TDLs. I will describe the design challenges in implementing a practical system that accomplishes this goal. I will also discuss preliminary results on what percentage of zone files can be successfully reconstructed using this data.
Interested in Discussing: Passive DNS
|Paul Vixie (Internet Systems Consortium, Inc.)||Talk Title: Implications of SIE
Talk Abstract: ISC SIE has been in operation since 2008, and has enabled several well known successful applications including DNSDB. What's still needed, in terms of sensor outreach and channel development? What other applications can we imagine, now that the idea of shared real time analysis of distributed telemetry isn't controversial any more? Vixie will throw out some ideas to jump start some brain storming.
Interested in Discussing: good science requires repeatability which means long cycle times. good engineering, at least in the security world, requires agility which means short cycle times. how will we prepare future technologists if using batch methods in a real-time world is at its "hey you kids get offa my lawn!" moment?
|Von Welch (Indiana University/CACR)||
Interested in Discussing: Reducing barriers to sharing operational security and network data with researchers and more broadly.
|Eric Ziegast (Internet Systems Consortium, Inc.)||Talk Title: Security Data Exchange Building
Talk Abstract: Eric Ziegast will provide a tutorial and internals discussion about how ISC SIE is operated in a manner that will help future operators understand how to run their own security data redistribution network or operate a public security information exchange. Topics will include switch operation, automated data submission, data relay, data processing, policy, and business aspects.
Interested in Discussing: I'd like to have a data flea market session (about an hour?) where we go around and put together what data people are looking for and what data people have available. I've done it before and it was quite interesting for attendees. If I prepare a questionnaire available before the event, it'll help people think and prepare.