The Ecosystem of Detection and Blocklisting of Domain Generation

Malware authors use domain generation algorithms to establish more reliable communication methods that can avoid reactive defender blocklisting techniques. Network defense has sought to supplement blocklists with methods for detecting machine-generated domains. We present a repeatable evaluation and comparison of the available open source detection methods. We designed our evaluation with multiple interrelated aspects, to improve both interpretability and realism. In addition to evaluating detection methods, we assess the impact of the domain generation ecosystem on prior results about the nature of blocklists and how they are maintained. The results of the evaluation of open source detection methods finds all methods are inadequate for practical use. The results of the blocklist impact study finds that generated domains decrease the overlap among blocklists; however, while the effect is large in relative terms, the baseline is so small that the core conclusions of the prior work are sustained. Namely, that blocklist construction is very targeted, context-specific, and as a result blocklists do no overlap much. We recommend that Domain Generation Algorithm detection should also be similarly narrowly targeted to specific algorithms and specific malware families, rather than attempting to create general-purpose detection for machine-generated domains.

Automated benchmark network diversification for realistic attack simulation with application to moving target defense

With numbers of exploitable vulnerabilities and attacks on networks constantly increasing, it is important to employ defensive techniques to protect one’s systems. A wide range of defenses are available and new paradigms such as Moving Target Defense (MTD) rise in popularity. But to make informed decisions on which defenses to implement, it is necessary to evaluate their effectiveness first. In many cases, the full impact these techniques have on security is not well understood yet. In this paper we propose network defense evaluation based on detailed attack simulation. Using a flexible modeling language, networks, attacks, and defenses are described in high detail, yielding a fine-grained scenario definition. Based on this, an automated instantiator generates a wide range of realistic benchmark networks. These serve to perform simulations, allowing to evaluate the security impact of different defenses, both quantitatively and qualitatively. A case study based on a mid-sized corporate network scenario and different Moving Target Defenses illustrates the usefulness of this approach. Results show that virtual machine migration, a frequently suggested MTD technique, more often degrades than improves security. Hence, we argue that evaluation based on realistic attack simulation is a qualified approach to examine and verify claims of newly proposed defense techniques.

Protecting intellectual property in foreign subsidiaries: An internal network defense perspective

This study examines firm internal network structures as a defense of intellectual property rights (IPR) in high-risk environments with inadequate IPR protection. Specifically, we investigate firm social and knowledge-based network structures individually. A foreign subsidiary can intensify social complexity by strengthening the small-worldness in its collaboration networks and attenuate knowledge-relatedness by decreasing the small-worldness in its knowledge networks. In a subsidiary, the effectiveness of these measures depends to some extent on the parent firm’s experience in the host country. Longitudinal data on 401 foreign subsidiaries in the pharmaceutical industry from 1980 to 2017 have been analyzed in a quasi-experiment using difference-in-differences and two-stage regression. The results provide empirical support for these ideas. Findings highlight the explanatory power of internal network structures when discussing knowledge protection and show the utility of taking an internal network defense perspective in examining IPR protection.