https://www.tide-project.nl/ Recent content on TIDE - Threat Identification Using Active DNS Measurements Hugo -- gohugo.io en-us Thu, 21 Oct 2021 14:52:57 +0200 https://www.tide-project.nl/slides/ Thu, 21 Oct 2021 14:52:57 +0200 https://www.tide-project.nl/slides/ Slides of the following conferences are available: CNSM 2021 (video) WTMC 2020 (video) FIRST 2019 AIMS 2018 FOSDEM 2018 ICTOpen 2018 NOMS 2018 https://www.tide-project.nl/publications/cnsm2021/ Fri, 17 Sep 2021 01:00:00 +0100 https://www.tide-project.nl/publications/cnsm2021/ DDoS attacks threaten Internet security and stability, with attacks reaching the Tbps range. A popular approach involves DNS-based reflection and amplification, a type of attack in which a domain name, known to return a large answer, is queried using spoofed requests. Do the chosen names offer the largest amplification, however, or have we yet to see the full amplification potential? And while operational countermeasures are proposed, chiefly limiting https://www.tide-project.nl/publications/wtmc2020/ Tue, 01 Sep 2020 01:00:00 +0100 https://www.tide-project.nl/publications/wtmc2020/ The DNS TXT resource record is the one that without doubt provide users with the most flexibility of content, as it is a largely unstructured. Although it might be the ideal basis for storing any form of text-based information, it also poses a security threat, as TXT records can also be used for malicious and unintended practices. Yet, we reckon that TXT records are often overlooked in security research. https://www.tide-project.nl/publications/eurospw2020/ Tue, 01 Sep 2020 00:00:00 +0100 https://www.tide-project.nl/publications/eurospw2020/ The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters - called homoglyphs - is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step https://www.tide-project.nl/publications/dtrap2019/ Tue, 04 Feb 2020 10:25:00 +0100 https://www.tide-project.nl/publications/dtrap2019/ The fourth publication for the TIDE project. The FIRST talk (see here) has been extended into a journal paper for Digital Threats: Research and Practice (DTRAP). In this paper we argue that we, as a security community, should move towards proactive security. However, we shed light on both sides of the coin. We think the ‘optimal’ way is to combine the reactive and proactive methods, to make use of the best of both worlds. https://www.tide-project.nl/blog/unicode_homoglyphs/ Wed, 14 Aug 2019 09:55:56 +0200 https://www.tide-project.nl/blog/unicode_homoglyphs/ For the last couple of months Ramin Yazdani has been looking into phishing domains using Unicode characters to appear like the target domain. In this process he developed a new ‘confusables’ table of Unicode characters which can easily be mistaken for their ASCII counterpart. The table is based on the ‘Unicode Confusables list’ and the ‘Unicode Similarity List’. The proposed Unicode Confusables table can be found here. The dataset is supplied as a ‘csv’ file where the first column represents the https://www.tide-project.nl/blog/first2019/ Wed, 26 Jun 2019 12:33:00 +0200 https://www.tide-project.nl/blog/first2019/ Last week was the FIRST conference in Edinburgh. TIDE was presenting a talk on “Proactive Threat Detection”. The idea we presented at FIRST was, since a proactive approach works well in the field of DNS, that we need to expand on proactive detection of threats. It fit well with the theme of the conference, Defending the Castle. Through proactive threat detection defenders are able to mount a defense against upcoming attacks rather than getting notified when the https://www.tide-project.nl/blog/wtmc2020/ Fri, 31 May 2019 08:53:00 +0200 https://www.tide-project.nl/blog/wtmc2020/ Below are the regular expressions we have used to categorize TXT records in the paper “On the Pitfalls of Finding Security Issues in DNS TXT Records”. This paper is currently under submission. A label can have multiple regular expressions attached to it, the sum of the number of records match make up the count for the label. The regular expressions are in the form where they can directly be copy-paste-ed into OpenINTEL’s Impala interface. https://www.tide-project.nl/blog/dsi2019/ Fri, 01 Mar 2019 15:23:25 +0200 https://www.tide-project.nl/blog/dsi2019/ The Digital Society Institute Symposium is next week, at which I will be giving a talk! Of course my talk is going to be about TIDE. My talk is scheduled around 15:30, I would like it if you would come and support me! https://www.tide-project.nl/blog/collections/ Fri, 01 Mar 2019 15:19:25 +0200 https://www.tide-project.nl/blog/collections/ Today the Website has been updated. Two collection pages have been added. Posters and Slides, listing all the available posters and slides in an easy view. https://www.tide-project.nl/posters/ Fri, 01 Mar 2019 15:05:57 +0200 https://www.tide-project.nl/posters/ The following posters are available: CSNG 2018 IMC 2018 SIGCOMM 2017 https://www.tide-project.nl/blog/imc2018/ Thu, 08 Nov 2018 11:35:00 +0100 https://www.tide-project.nl/blog/imc2018/ Last week, October the 31st, was IMC, in Boston, USA. IMC is a top Internet measurements conference. The TIDE-project was there too to promote the malware in DNS TXT records project. We presented a poster on which we got quite a lot of interest. People were surprised there were pieces of code in TXT records. Below you can see the poster we have presented. The poster shows the rise of TXT records along with what we have classified as https://www.tide-project.nl/blog/csng2018/ Wed, 17 Oct 2018 15:47:25 +0200 https://www.tide-project.nl/blog/csng2018/ Today, October the 17th, was the fourth edition of the Cyber Security Workshop in the Netherlands (CSNG), in The Hague. The TIDE-project was here to present a poster on malware in DNS TXT malware. Our current ongoing research. If you couldn’t make it to the CSng Workshop, you have another chance. The poster will be presented again at IMC 2018 in Boston, USA. https://www.tide-project.nl/blog/hugo/ Wed, 18 Jul 2018 10:59:56 +0200 https://www.tide-project.nl/blog/hugo/ The TIDE website has gotten a new look. And for good reason too. We moved from Wordpress to Hugo. As a security researcher we can hardly use a CMS which has quite a few CVE’s per year. Hugo Hugo is a framework for building static websites. Something which is perfectly suited for the TIDE website. The website should have gotten a lot faster as well. There are no calls to MySQL, no PHP code which needs to get https://www.tide-project.nl/people/ Mon, 16 Jul 2018 15:05:09 +0200 https://www.tide-project.nl/people/ Olivier van der Toorn (Ph.D. student, DACS group, University of Twente) The DACS (Design and Analysis of Communication Systems) group at the University of Twente, is a leading group in the area of dependability of networked systems in Europe, with a focus on Internet Security (Sperotto, Pras) and security of critical infrastructure (Remke, Veni grant). The DACS group brings expertise in network traffic monitoring and analysis to this project, with a specific focus on network security. https://www.tide-project.nl/rdns/ Mon, 16 Jul 2018 15:05:09 +0200 https://www.tide-project.nl/rdns/ Hello, we are network researchers at the University of Twente, at the Design and Analysis of Communication Systems group. We are currently conducting a study on the timeliness of reverse DNS entries. If you want to be excluded from our measurement please read the sections below. Measurement details For our project we run two measurements. An ICMP ping scan and a reverse DNS measurement. Both measurements run at an adaptive frequency using an https://www.tide-project.nl/consortium/ Mon, 16 Jul 2018 14:18:45 +0200 https://www.tide-project.nl/consortium/ High tech, human touch. That is the University of Twente (UT). Some 3300 scientists and other professionals working together on cutting-edge research, innovations with real-world relevance and inspiring education for more than 9600 students. The Design and Analysis of Communication Systems (DACS) group at the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) is part of the research team. SURFnet is the National Research and Education Network operator for The Netherlands. https://www.tide-project.nl/about/ Fri, 13 Jul 2018 16:03:57 +0200 https://www.tide-project.nl/about/ The problem The Internet was born as an open, decentralized and scalable infrastructure supporting the visionary dream of an interconnected world of data, information and services. Never like in the last decade we have witnessed a booming expansion of the Internet in terms of infrastructure (e.g., available bandwidth), services (e.g., online social networks, online streaming but also online banking, health care, to mention some), and user generated content. The Internet is considered a means for ensuring human rights, such as freedom of speech and expression, and a structural way for educating people on democracy [4]. https://www.tide-project.nl/publications/aims2018/ Mon, 11 Jun 2018 00:00:00 +0200 https://www.tide-project.nl/publications/aims2018/ The third publication for the TIDE project. Details more formally the research questions of this project. The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS do- main to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, but this leads to a reactive detection of attacks. However, registering and configuring a domain takes time. https://www.tide-project.nl/publications/noms2018/ Thu, 03 May 2018 00:00:00 +0200 https://www.tide-project.nl/publications/noms2018/ The second publication for the TIDE project. It has received the Best Paper Award at NOMS 2018. Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). https://www.tide-project.nl/blog/noms2018_post/ Tue, 01 May 2018 00:00:00 +0200 https://www.tide-project.nl/blog/noms2018_post/ TIDE was present at the Network Operations and Management Symposium (NOMS 2018) conference in Taipei, Taiwan. Olivier was there to present “Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements”. NOMS 2018 was held in Taipei, Taiwan, from the 23rd till the 27th of April. NOMS has been held in every even-numbered year since 1988. This was the 30th anniversary of NOMS. Our work was very well received at the conference. https://www.tide-project.nl/blog/ictopen2018/ Fri, 23 Mar 2018 00:00:00 +0200 https://www.tide-project.nl/blog/ictopen2018/ At the beginning of this week ICTOpen2018 was held in Amersfoort. An important event for ICT in the Netherlands. Many topics were visited from ‘health science’ to ‘artificial intelligence’. Jos Wetzels, from the Technical University of Eindhoven, and Olivier van der Toorn, from the University of Twente, were the nominees for the BCMT Award 2018. This award is given to best Master thesis in the cybersecurity field. Seven theses were nominated, and two of them were invited two present their work at the ICTOpen conference. https://www.tide-project.nl/blog/fosdem2018/ Fri, 22 Dec 2017 00:00:00 +0200 https://www.tide-project.nl/blog/fosdem2018/ FOSDEM is a yearly event in the last weekend of Januari (or the first weekend of Februari). FOSDEM stands for Free Open-Source Developer Europe Meeting. At the event state of the art open-source software is discussed, presented and enjoyed. This year there is a DNS devroom. On sunday at 11:35 Olivier will hold a talk there titled ‘Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains’. Since the event is entirely free, be sure to visit! https://www.tide-project.nl/blog/ctit2017/ Wed, 22 Nov 2017 00:00:00 +0200 https://www.tide-project.nl/blog/ctit2017/ TIDE has won the CTIT Symposium Ph.D. “1 minute madness” event!!! During the CTIT Symposium 2017 “Internet of Things is ready. What about us?" there was the Ph.D. “1 minute madness” event. All of the winners from the previous round got the opportunity to present their work again in a single minute. It was quite a challenge to compress all you want to say into a single minute. However, the feedback I got after my presentation was great. https://www.tide-project.nl/blog/snowshoe_spam/ Thu, 19 Oct 2017 00:00:00 +0200 https://www.tide-project.nl/blog/snowshoe_spam/ Snowshoe Spam We started the TIDE project with Snowshoe Spam domain detection. But what is Snowshoe Spam? In Snowshoe Spam the spammer tries to spread the sending load over numerous hosts, and thus reducing the amount of spam each hosts sends. This makes each host separate hard to detect. It means that the spammer is less likely to end up on spam reputation lists (blacklists) and is therefore able to continue spamming for longer. https://www.tide-project.nl/blog/ctit_post_presentation/ Thu, 21 Sep 2017 00:00:00 +0200 https://www.tide-project.nl/blog/ctit_post_presentation/ The CTIT’s annual event “Your Research @ CTIT” aims to bring together PhD/Postdoc researchers from all the 21 CTIT research groups from the University of Twente. Researchers will have the opportunity here to present their ongoing research project to their CTIT colleagues. The event this year will be held on 3 October 2017 from 15:00 till 18:00 at the Ravelijn Atrium. TIDE will be presenting the poster originally made for SIGcomm (see this post for details). https://www.tide-project.nl/blog/sigcomm2017/ Tue, 29 Aug 2017 00:00:00 +0200 https://www.tide-project.nl/blog/sigcomm2017/ This is the first publication for this project. A poster submission to SIGCOMM 2017. It details three use cases of Threat Identifcation Using Active DNS Measurements, DDoS attacks, snowshoe spam and CEO fraud. Clicking the image will show the full resolution poster. Clicking here will take you to the poster abstract. Below are the details of the publication. The Domain Name System contains a wealth of information about the security, stability and health of the Internet.