Revealing Previously Unknown Malicious Domains leveraging DNS and WHOIS Data

Astract:

Maintaining a blacklist of malicious websites and sifting through network traffic to detect nefarious activity is a difficult battle to fight. The rise in use of Domain Generation Algorithms (DGA) and similar techniques has only further hindered that fight by making the usefulness of static lists negligible. As a result security researchers have looked towards leveraging patterns in DNS information to detect malicious activity. This has proven to be successful in detection of botnet activity and other forms of cyber crime, but more can be done. In this masters thesis we will leverage the existing work in this field to generate a coherent set of rules to comb through network traffic. We will then expand upon academia's current knowledge set by identifying additional rules that can be used with WHOIS data to better triage information. In the end we expect to be able to detect a more diverse audience of criminal activity to include Advanced Persistent Threats (APT), hacktivists, small-scale criminal activity, as well as your more traditional cyber criminal botnets.