Drakkar

Thesis defense — Ben C. Benjamin — October 1st

Friday 29 November 2024

Measuring, Analysing and Mitigating Malicious Activities on the Internet: A Study on DNS, Open Proxies and Domain Name Defensive Registrations

Will take place on the 1st of October 2024 at 9:00 am at the main Auditorium in the IMAG building.

Abstract

The landscape of cybersecurity is constantly evolving as new and complex threats emerge. To address the challenges posed by these threats, we perform a series of measurements, analyze the results, and recommend strategies to mitigate malicious activities on the Internet more, with a particular focus on the Domain Name System (DNS) and open proxies.

This doctoral thesis embarks on a comprehensive exploration of domain name abuse and open proxy abuses. This thesis makes three main contributions, which can be summarized in three stages.

The first contribution of this thesis is to mitigate the threat posed by cybersquatters by incorporating Passive DNS (Domain Name System) data into defensive domain name registration practices. It presents a thorough analysis of the benefits of this approach and its potential applications in protecting brands. It examines the current defensive registration practices employed by defensive registrars and highlights their shortcomings. As a contribution, it proposes a new method to improve the defensive registration strategies used by defensive registrars.

The Second contribution of this thesis addresses the need for a practical and operational domain name classifier to distinguish between maliciously registered and compromised domains used in phishing that can be readily employed by intermediaries in real-world scenarios to design domain name classifiers that overcome the shortcomings of some existing systems. Our approach takes advantage of publicly available domain name registration data. Our approach has two primary contributions that enhance its practical utility in diverse operational contexts. Firstly, it employs an automated methodology for constructing the ground truth dataset, thereby ensuring that the classifier is trained on reliable data. Secondly, it exhibits resilience in the face of missing data values, a common challenge when dealing with public resources and active measurements. This quality further enhances the reliability and practicality of the classifier.

In the third contribution, we investigate the activities of open proxies where we provided answers as to why Internet users are still using open proxy services despite the risks involved and what types of cybercrime activities are performed through the use of open proxies. We deploy several open proxy servers distributed all around the world which we configured to accept connections using five popular protocols: HTTP, HTTPS, SOCKS4, SOCKS4(a), and SOCKS5. We also uncover the types of Internet service vulnerabilities that open proxy users exploit. The collective contribution of this thesis is to enhance our understanding of domain name abuses and the misuse of open proxies. This research yields innovative methods and techniques that have the potential to assist internet service providers in improving the safety and dependability of the worldwide Internet environment. The study is invaluable for furnishing Internet service providers with ways to counter domain name abuse and maintain the Internet’s integrity.


1996-2024 Drakkar | | SPIP