DIMVA 2007

Friday, July 20, 2007

I just got back from Switzerland, and despite numerous flight delays, cancellations, and lost luggage (thanks NWA!), it was a great trip. I presented some of my research at the Fourth International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), and got to spend some vacation time in Zurich, Lucerne, and Milan, Italy.


Characterizing Dark DNS Behavior

The research I presented at DIMVA focused on the measurement of dark DNS, or the DNS queries associated with darknet addresses. Evidence of dark DNS activity has important implications with regards to darknet sensor deployments. Misconfiguration or improperi delegation of reverse DNS authority for darknet monitoring systems may allow evasion by an attacker via DNS reconnaissance. We characterized the dark DNS activity observed on a large operational network and presented a lightweight tool to complement existing network sensors and low-interaction honeypots by providing simple DNS services.

Both the paper and presentation are available in PDF format.

Other Papers of Interest

A Study of Malcode-Bearing Documents
Wei-Jen Li, Salvatore Stolfo, Angelos Stavrou, Elli Androulaki and Angelos Keromytis

A look at statistical static analysis techniques and their effectiveness in detecting malicious code in complex modern document formats, specifically Microsoft Word documents. As we'll undoubtedly see increasing numbers of attacks against applications which parse complex data containers such as media and document formats, this is an important area of research.

On the Effectiveness of Techniques to Detect Phishing Sites
Christian Ludl, Sean McAllister, Engin Kirda and Christopher Kruegel

Ludl et al. evaluated the effectiveness of existing blacklist-based approaches to preventing phishing attacks. They tested the blacklists provided by Google and Microsoft against a list of 10,000 phishing URLs and found that Google identified over 90% of the URLs. I personally find this result interesting as a ton of work has been done developing phishing heuristics based on the structure of the page, content, URIs, and other attributes. These complex heuristics are often inferior and more prone to false positives than a simple provider-based blacklist. KISS.


Somewhere between Zurich and Milan

Graffiti in Milan, Italy

Train station in Zurich, Switzerland

Copyright © 2021 - Jon Oberheide