CS Department Seminar: Engin Kirda (Northeastern University), Detecting Malicious Activity Through Large-Scale Data Analysis

Detecting Malicious Activity Through Large-Scale Data Analysis

Monday, March 24, 2014 ( 2:00 pm to 3:00 pm )

Location: Babbio Center 221




Malicious software (or malware) is one of the most pressing and major security threats facing the Internet today. In this talk, I will describe two systems that we recently built: EXPOSURE and DISCLOSURE.


EXPOSURE is a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity.  We use 15 features that we extract from the DNS traffic that allow us to characterize different properties of DNS names and the ways that they are queried. Our experiments with a large, real-world data set consisting of 100 billion DNS requests, and real-life deployment for over two years show that our approach is scalable and that we are able to automatically identify known malicious domains that are misused in a variety of malicious activity (such as for botnet command and control, spamming, and phishing).


DISCLOSURE is a follow-up system that we built that is a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow DISCLOSURE to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce DISCLOSURE's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. DISCLOSURE is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.




Engin Kirda is the Sy and Laurie Sternberg Associate Professor of Information Assurance at the Northeastern University in Boston and the director of the Northeastern Information Assurance Institute. He is also a co-founder and Chief Architect at Lastline, Inc. Before moving to the US, he has held faculty positions at Institute Eurecom in the French Riviera and the Technical University of Vienna where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and US. Engin's recent research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web application security, and practical aspects of social networking security. He co-authored more than 100 peer-reviewed scholarly publi cations and served on program committees of numerous international conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID), in 2010/11, Program Chair of the Europ ean Workshop on Systems Security (Eurosec), and in 2012 the Program Chair of the USENIX Workshop on Large Scale Exploits and Emergent Threats. He is currently the program co-chair of NDSS, and will be chairing it in 2015. 


For additional information please contact:
Georgios Portokalidis
Assistant Professor
Lieb 213
Phone: +1 201-216-8311
[email protected]