Location

3402 Conference Room Klaus & Zoom

Title: Towards Understanding the Lifecycle of Malicious Network Infrastructure

 

Date: Tuesday, May 6th, 2025

Time: 3:00 PM – 5:00 PM ET

Location:  3402 Conference Room Klaus & Zoom

Zoom Link: https://gatech.zoom.us/j/97713909669?pwd=DwZVSA0p8pc3rM2wzRubDJnQLyEOW1.1

 

Athanasios Avgetidis

Ph.D. CS Student

School of Cybersecurity and Privacy

College of Computing

Georgia Institute of Technology

 

Committee:

Dr. Manos Antonakakis (Advisor), School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Angelos D. Keromytis (Co-Advisor), School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Fabian Monrose, School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Roberto Perdisci, School of Computing, University of Georgia

Dr. Alberto Dainotti, School of Computer Science, Georgia Institute of Technology 

 

Abstract:


Network infrastructure is an important component of malicious cyber operations. Cyber adversaries utilize network infrastructure for command and control, data exfiltration, malware hosting, and social engineering among others. Over the years, while there have been several studies that have focused on detecting, blocking, and characterizing malicious infrastructure, the temporal dynamics of how this infrastructure changes over time and the characteristics of the stakeholders interacting with it have often been overlooked. This thesis shows that the temporal analysis of malicious infrastructure reveals network attributes that can characterize the stakeholders that interact with it. The systematic analysis of such network attributes can aid the accurate discovery of previously unreported malicious infrastructure and increase our awareness of the behaviors of the stakeholders that interact with it.

 

This dissertation focuses on shedding light on the lifecycle and utilization of malicious infrastructure through the lens of DNS and HTTP network vantage points. In this thesis, I demonstrate that the network interactions of the stakeholders associated with malicious domain names are largely temporally dynamic and have implications in victim estimation analysis. Second, I characterize the HTTP interactions of malicious cyber actors with their infrastructure and quantify the importance of detection in the duration of their infrastructure utilization. Lastly, I demonstrate how the longitudinal characterization of malicious domain names of known cybercriminal actors, can reveal network attributes that can characterize different types of hosting infrastructure associated historically with them and enable the accurate discovery of three times more attacker-utilized IP addresses than those present on public threat reports.