Location

3126 Conference Room Klaus & Zoom

Title: Towards Understanding the Lifecycle of Malicious Network Infrastructure

 

Date: Tuesday, December 3, 2024

Time: 3:00 PM – 5:00 PM ET

Location [Hybrid]:  3126 Conference Room Klaus & Zoom

Zoom Link: https://gatech.zoom.us/j/98536458994?pwd=1z2b49FvKG7yCbpRCFoRgmUMBvZ92x.1

 

Athanasios Avgetidis

Ph.D. CS Student

School of Cybersecurity and Privacy

College of Computing

Georgia Institute of Technology

 

Committee:

Dr. Manos Antonakakis (Advisor), School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Angelos D. Keromytis (Co-Advisor), School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Fabian Monrose, School of Electrical and Computer Engineering, Georgia Institute of Technology

Dr. Roberto Perdisci, School of Computing, University of Georgia

Dr. Alberto Dainotti, School of Computer Science, Georgia Institute of Technology 

 

Abstract:

 

Network infrastructure is an important component of malicious cyber operations. Cyber adversaries utilize network infrastructure for command and control, data exfiltration, malware hosting and social engineering among others. Over the years, while there have been several studies that have focused on detecting, blocking and characterizing malicious infrastructure, the temporal aspect of how this infrastructure changes over time and how this affects common security and forensic tasks has often been overlooked. This thesis shows that temporal analysis of malicious infrastructure reveals unknown forensic information hidden in network datasets that are used in modern defensive operations — systematic discovery and analysis of such unknown forensic information enables more comprehensive understanding of Internet threats.  

In this proposal, I will shed light on the lifecycle of malicious infrastructure through presenting the findings of three empirical measurement studies utilizing different network vantage points. First, I will demonstrate how targeting analysis from a network perspective is temporally sensitive by utilizing the unique vantage point of Authoritative DNS. Second, I will present the first large scale measurement study of the lifecycle of password stealers and their operators showcasing how they manage their operations over a span of 20 months. Lastly, I will introduce my ongoing work on characterizing the lifecycle of the domain names of Advanced Persistent Threats (APT), by proposing Atropos, a novel system that automatically and accurately identifies APT-controlled infrastructure in historical DNS logs.