Leakage of .onion at the DNS Root: Measurements, Causes, and Countermeasures

Mohaisen, Aziz,Ren, Kui IEEE 2017 IEEE/ACM transactions on networking Vol.25 No.5

<P>The Tor hidden services, one of the features of the Tor anonymity network, are widely used for providing anonymity to services within the Tor network. Tor uses the .onion pseudo-top-level domain for naming convention and to route requests to these hidden services. The .onion namespace is not delegated to the global domain name system (DNS), and Tor is designed in such a way that all .onion queries are routed within the Tor network. However, and despite the careful design of Tor, numerous .onion requests are still today observed in the global DNS infrastructure, thus calling for further investigation. In this paper, we present the state of .onion requests received at the global DNS and as viewed from two large DNS traces: a continuous period of observation at the A and J DNS root nodes over a longitudinal period of time and a synthesis of Day In The Life of the Internet data repository that gathers a synchronized DNS capture of two days per year over multiple years. We found that .onion leakage in the DNS infrastructure to be both prevalent and persistent. Our characterization of the leakage shows various features, including high volumes of leakage that are diverse, geographically distributed, and targeting various types of hidden services. Furthermore, we found that various spikes in the .onion request volumes can be correlated with various global events, including geopolitical events. We attribute the leakage to various causes that are plausible based on various assessments, and provide various remedies with varying benefits.</P>

The Sybil Attacks and Defenses

Aziz Mohaisen,Joongheon Kim 한국산학기술학회 2013 SmartCR Vol.3 No.6

In this paper we take a close look at the Sybil attack and advances in defending against it, with particular emphasis on recent work. We identify three major veins in the research literature that describe ways to defend against the attack: using trusted certification, using resource testing, and using social networks. The first vein in the literature considers defending against the attack using trusted certification, which is done by either centralized certification or distributed certification using cryptographic primitives that can replace the centralized certification entity. The second vein in the literature considers defending against the attack by testing resources, which can be in the form of IP testing, network coordinates, or recurring cost (e.g., by requiring clients to solve puzzles). The third and last vein in the literature is by mitigating the attack, combining social networks used as bootstrap security and tools from random walk theory, which was shown to be effective in defending against the attack under certain assumptions. Our survey and analyses of the different schemes in the three veins in the literature show several shortcomings, which form several interesting directions and research questions worthy of investigation.

HTTP-based Smart Transportation of DNS Queries and Applications

Aziz Mohaisen,Manar Mohaisen 한국산학기술학회 2015 SmartCR Vol.5 No.4

In this paper we introduce a system, called DJSON, which enables HTTP transport of Domain Name System traffic. DJSON enables re-encoding of the existing Domain Name System message format, so that it can traverse hostile territory with confidence without modifying the underlying Domain Name System design. In DJSON, Domain Name System messages are sent and received with a properly formatted HTML using a JSON encoding that allows bidirectional mapping to and from traditional Domain Name System transport encodings. This guarantees that interoperability is no worse than it is today. HTTP can be used to work around the problem where middle boxes have interoperability problems. DJSON aims to solve several real-world and operational problems. DJSON is designed to “bridge” Domain Name System across areas where Domain Name System packets might be mangled, deliberately modified or blocked. DJSON further aims to enable and address improved reliability, availability, and security. Detailed discussions, experiments run on a prototype of DJSON, and analysis show the effectiveness and relevance of our work.

Characterizing Collaboration in Social Network-enabled Routing

( Manar Mohaisen ),( Aziz Mohaisen ) 한국인터넷정보학회 2016 KSII Transactions on Internet and Information Syst Vol.10 No.4

Connectivity and trust in social networks have been exploited to propose applications on top of these networks, including routing, Sybil defenses, and anonymous communication systems. In these networks, and for such applications, connectivity ensures good performance of applications while trust is assumed to always hold, so as collaboration and good behavior are always guaranteed. In this paper, we study the impact of differential behavior of users on performance in typical social network-enabled routing applications. We classify users into either collaborative or rational (probabilistically collaborative) and study the impact of this classification and the associated behavior of users on the performance of such applications, including random walk-based routing, shortest path based routing, breadth-first-search based routing, and Dijkstra routing. By experimenting with real-world social network traces, we make several interesting observations. First, we show that some of the existing social graphs have high routing costs, demonstrating poor structure that prevents their use in such applications. Second, we study the factors that make probabilistically collaborative nodes important for the performance of the routing protocol within the entire network and demonstrate that the importance of these nodes stems from their topological features rather than their percentage of all the nodes within the network.

Distributed and reliable decision-making for cloud-enabled mobile service platforms

Kim, Joongheon,Mohaisen, Aziz Taylor & Francis 2017 INTERNATIONAL JOURNAL OF DISTRIBUTED SENSOR NETWOR Vol.13 No.8

Mal-Netminer: Malware Classification Approach Based on Social Network Analysis of System Call Graph

Jang, Jae-wook,Woo, Jiyoung,Mohaisen, Aziz,Yun, Jaesung,Kim, Huy Kang Hindawi Limited 2015 Mathematical problems in engineering Vol.2015 No.-

<P>As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that “influence-based” graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.</P>

Andro-AutoPsy: Anti-malware system based on similarity matching of malware and malware creator-centric information

Jang, Jae-wook,Kang, Hyunjae,Woo, Jiyoung,Mohaisen, Aziz,Kim, Huy Kang Elsevier Science B. V., Amsterdam 2015 Digital investigation Vol.2015 No.14

Thriving on chaos: Proactive detection of command and control domains in internet of things‐scale botnets using DRIFT

Spaulding, Jeffrey,Park, Jeman,Kim, Joongheon,Nyang, DaeHun,Mohaisen, Aziz Associazione elettrotecnica ed elettronica italian 2019 Transactions on emerging telecommunications techno Vol.30 No.4

Two-Thumbs-Up: Physical protection for PIN entry secure against recording attacks

Nyang, DaeHun,Kim, Hyoungshick,Lee, Woojoo,Kang, Sung-bae,Cho, Geumhwan,Lee, Mun-Kyu,Mohaisen, Aziz Elsevier 2018 Computers & security Vol.78 No.-

<P><B>Abstract</B></P> <P>We present a new Personal Identification Number (PIN) entry method for smartphones that can be used in security-critical applications, such as smartphone banking. The proposed “Two-Thumbs-Up” (TTU) scheme is resilient against observation attacks such as shoulder-surfing and camera recording, and guides users to protect their PIN information from eavesdropping by shielding the challenge area on the touch screen. To demonstrate the feasibility of TTU, we conducted a user study for TTU, and compared it with existing authentication methods (Normal PIN, Black and White PIN, and ColorPIN) in terms of usability and security. The study results demonstrate that TTU is more secure than other PIN entry methods in the presence of an observer recording multiple authentication sessions.</P>

Analyzing and Detecting Emerging Internet of Things Malware: A Graph-Based Approach

Alasmary, Hisham,Khormali, Aminollah,Anwar, Afsah,Park, Jeman,Choi, Jinchun,Abusnaina, Ahmed,Awad, Amro,Nyang, Daehun,Mohaisen, Aziz IEEE 2019 IEEE Internet of things journal Vol.6 No.5

<P>The steady growth in the number of deployed Internet of Things (IoT) devices has been paralleled with an equal growth in the number of malicious software (malware) targeting those devices. In this paper, we build a detection mechanism of IoT malware utilizing control flow graphs (CFGs). To motivate for our detection mechanism, we contrast the underlying characteristics of IoT malware to other types of malware—Android malware, which are also Linux-based—across multiple features. The preliminary analyses reveal that the Android malware have high density, strong closeness and betweenness, and a larger number of nodes. We show that IoT malware samples have a large number of edges despite a smaller number of nodes, which demonstrate a richer flow structure and higher complexity. We utilize those various characterizing features as a modality to build a highly effective deep learning-based detection model to detect IoT malware. To test our model, we use CFGs of about 6000 malware and benign IoT disassembled samples, and show a detection accuracy of <TEX>$\approx 99.66$</TEX>%.</P>