-
Notifications
You must be signed in to change notification settings - Fork 0
/
websecurity.bib
63 lines (58 loc) · 7.21 KB
/
websecurity.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
@inproceedings{silva_compromised_2021,
title = {Compromised or {Attacker}-{Owned}: {A} {Large} {Scale} {Classification} and {Study} of {Hosting} {Domains} of {Malicious} {URLs}},
shorttitle = {Compromised or {Attacker}-{Owned}},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/desilva},
language = {en},
urldate = {2021-05-23},
author = {Silva, Ravindu De and Nabeel, Mohamed and Elvitigala, Charith and Khalil, Issa and Yu, Ting and Keppitiyagama, Chamath},
year = {2021},
}
@incollection{xia_identifying_2021,
address = {New York, NY, USA},
title = {Identifying and {Characterizing} {COVID}-19 {Themed} {Malicious} {Domain} {Campaigns}},
isbn = {9781450381437},
url = {https://doi.org/10.1145/3422337.3447840},
abstract = {Ever since the beginning of the outbreak of the COVID-19 pandemic, attackers acted quickly to exploit the confusion, uncertainty and anxiety caused by the pandemic and launched various attacks through COVID-19 themed malicious domains. Malicious domains are rarely deployed independently, but rather almost always belong to much bigger and coordinated attack campaigns. Thus, analyzing COVID-themed malicious domains from the angle of attack campaigns would help us gain a deeper understanding of the scale, scope and sophistication of the threats imposed by such malicious domains. In this paper, we collect data from multiple sources, and identify and characterize COVID-themed malicious domain campaigns, including the evolution of such campaigns, their underlying infrastructures and the different strategies taken by attackers behind these campaigns. Our exploration suggests that some malicious domains have strong correlations, which can guide us to identify new malicious domains and raise alarms at the early stage of their deployment. The results shed light on the emergency for detecting and mitigating public event related cyber attacks.},
urldate = {2021-05-23},
booktitle = {Proceedings of the {Eleventh} {ACM} {Conference} on {Data} and {Application} {Security} and {Privacy}},
publisher = {Association for Computing Machinery},
author = {Xia, Pengcheng and Nabeel, Mohamed and Khalil, Issa and Wang, Haoyu and Yu, Ting},
month = apr,
year = {2021},
keywords = {malicious campaigns, knowledge graph, covid-19},
pages = {209--220},
}
@article{nabeel_following_2020,
title = {Following {Passive} {DNS} {Traces} to {Detect} {Stealthy} {Malicious} {Domains} {Via} {Graph} {Inference}},
volume = {23},
issn = {2471-2566},
url = {https://doi.org/10.1145/3401897},
doi = {10.1145/3401897},
abstract = {Malicious domains, including phishing websites, spam servers, and command and control servers, are the reason for many of the cyber attacks nowadays. Thus, detecting them in a timely manner is important to not only identify cyber attacks but also take preventive measures. There has been a plethora of techniques proposed to detect malicious domains by analyzing Domain Name System (DNS) traffic data. Traditionally, DNS acts as an Internet miscreant’s best friend, but we observe that the subtle traces in DNS logs left by such miscreants can be used against them to detect malicious domains. Our approach is to build a set of domain graphs by connecting “related” domains together and injecting known malicious and benign domains into these graphs so that we can make inferences about the other domains in the domain graphs. A key challenge in building these graphs is how to accurately identify related domains so that incorrect associations are minimized and the number of domains connected from the dataset is maximized. Based on our observations, we first train two classifiers and then devise a set of association rules that assist in linking domains together. We perform an in-depth empirical analysis of the graphs built using these association rules on passive DNS data and show that our techniques can detect many more malicious domains than the state-of-the-art.},
number = {4},
urldate = {2021-05-23},
journal = {ACM Transactions on Privacy and Security},
author = {Nabeel, Mohamed and Khalil, Issa M. and Guan, Bei and Yu, Ting},
month = jul,
year = {2020},
keywords = {graph inference, Malicious domains, passive DNS, domain association},
pages = {17:1--17:36},
}
@inproceedings{khalil_domain_2018,
address = {Tempe, AZ, USA},
series = {{CODASPY} '18},
title = {A {Domain} is only as {Good} as its {Buddies}: {Detecting} {Stealthy} {Malicious} {Domains} via {Graph} {Inference}},
isbn = {9781450356329},
shorttitle = {A {Domain} is only as {Good} as its {Buddies}},
url = {https://doi.org/10.1145/3176258.3176329},
doi = {10.1145/3176258.3176329},
abstract = {Inference based techniques are one of the major approaches to analyze DNS data and detect malicious domains. The key idea of inference techniques is to first define associations between domains based on features extracted from DNS data. Then, an inference algorithm is deployed to infer potential malicious domains based on their direct/indirect associations with known malicious ones. The way associations are defined is key to the effectiveness of an inference technique. It is desirable to be both accurate (i.e., avoid falsely associating domains with no meaningful connections) and with good coverage (i.e., identify all associations between domains with meaningful connections). Due to the limited scope of information provided by DNS data, it becomes a challenge to design an association scheme that achieves both high accuracy and good coverage. In this paper, we propose a new approach to identify domains controlled by the same entity. Our key idea is an in-depth analysis of active DNS data to accurately separate public IPs from dedicated ones, which enables us to build high-quality associations between domains. Our scheme avoids the pitfall of naive approaches that rely on weak "co-IP" relationship of domains (i.e., two domains are resolved to the same IP) that results in low detection accuracy, and, meanwhile, identifies many meaningful connections between domains that are discarded by existing state-of-the-art approaches. Our experimental results show that the proposed approach not only significantly improves the domain coverage compared to existing approaches but also achieves better detection accuracy. Existing path-based inference algorithms are specifically designed for DNS data analysis. They are effective but computationally expensive. To further demonstrate the strength of our domain association scheme as well as improve the inference efficiency, we construct a new domain-IP graph that can work well with the generic belief propagation algorithm. Through comprehensive experiments, we show that this approach offers significant efficiency and scalability improvement with only a minor impact to detection accuracy, which suggests that such a combination could offer a good tradeoff for malicious domain detection in practice.},
urldate = {2021-05-23},
booktitle = {Proceedings of the {Eighth} {ACM} {Conference} on {Data} and {Application} {Security} and {Privacy}},
publisher = {Association for Computing Machinery},
author = {Khalil, Issa M. and Guan, Bei and Nabeel, Mohamed and Yu, Ting},
month = mar,
year = {2018},
keywords = {inference algorithms, dns data analysis, malicious domains detection, belief propagation},
pages = {330--341},
}