Members and Collaborators
Overview
Many cybersecurity events are poorly measured, because it is difficult to gain access to a good vantage point to observe many representative events. This set of projects aims to improve our observation of relevant malicious events.
DNSInsight
DNSInsight is a project to categorize incoming queries to a root DNS server, to understand their root cause. Given the critical role of root servers in the global DNS infrastructure, it is essential to understand processes that generate DNS queries and optimize response times. This project focuses on developing algorithms that can differentiate between legitimate DNS traffic and potentially malicious or anomalous queries, such as those resulting from amplification attempts or other forms of traffic manipulation, DDoS attacks, etc.. By categorizing queries into known-good, suspicious, and malicious categories, the system can apply tailored filtering mechanisms, rate limiting, and anomaly detection to mitigate potential threats while ensuring minimal impact on normal operations.
In addition to query categorization, the project seeks to identify the root causes of suspicious and malicious queries, aiming to address issues at their source. This could involve analyzing patterns to trace the origin of the malicious traffic, such as a botnet, a compromised device, or a misconfigured network. The goal is to develop mechanisms that not only block or rate-limit unwanted queries, but also provide insight into their origin, enabling network operators to take corrective actions or implement solutions that prevent future occurrences. By understanding the root causes of unwanted queries, the project can contribute to fixing vulnerabilities in the broader ecosystem, whether through improved security practices, better traffic filtering, or addressing systemic issues within upstream networks.
Lightscope
LightScope seeks to provide valuable insights to network operators and security researchers by turning closed ports on live hosts into network telescopes. As scanners avoid darkspace monitoring tools, honeypots, and networks not running real services, the conclusions we draw based on these types of observations don't map to production networks. LightScope addresses this issue. Lightscope was designed with production networks in mind: it is completely passive, easy to deploy, and shouldn't impact the attack surface of an organization. There is no need to install LightScope on sensitive production machines, as a single instance with access to a span port can monitor an entire network. Through analysis of traffic it sees, it passively and dynamically learns which ports are open and records anonymized information about traffic sent to closed ports. Through analyzing this traffic and comparing it with what it sees on other networks, it seeks to provide important information to network operators such as whether or not they are being targeted compared to their peers, attribution of their unwanted traffic, services attackers intend to target, general trends, and possibly some warning of pending cyberattacks.
Publications