• home
• current students
• graduate
• events

Presenter: Simbarashe Zuva
Supervisor:

Date: Wed, August 9, 2023
Time: 14:00:00 - 15:00:00
Place: via Zoom - please see link below

ABSTRACT

Zoom Meeting Link:

https://uvic.zoom.us/j/81232816893?pwd=Nm42TzM2SldDL1hFd0U4UWw1U3VUQT09

Meeting ID: 812 3281 6893

Password: 256518

One tap mobile

+17789072071,,81232816893#,,,,0#,,256518# Canada

+16475580588,,81232816893#,,,,0#,,256518# Canada

Dial by your location

        +1 778 907 2071 Canada

        +1 647 558 0588 Canada

Meeting ID: 812 3281 6893

Password: 256518

Find your local number: https://uvic.zoom.us/u/kcgpyaLCw9

Abstract:

Web attacks have been on the rise in recent years, and organisations are constantly searching for new and better ways to detect and block the corresponding attack vectors. Some of the prominent attributes of web attack vectors are malicious domains used to trigger or sustain these attacks, for instance, through launching phishing attacks or by hosting command and control (C&C) infrastructures. Detecting accurately and blocking the malicious domains has become increasingly difficult due to the evasive techniques used by the attackers to mask their activities by emulating legitimate network traffic to an accurately high degree and through tactics such as domain generation algorithms (DGA) and fast flux DNS. Snort, an open-source intrusion detection system, has traditionally been utilized to detect network intrusions through network traffic signature analysis. However, while Snort has subsequently been upgraded to enable the detection of web attacks, its effectiveness in detecting malicious domains is questionable because of the coarse-grained nature of web attack signatures. At the same time, it is a reasonable proposition to assume that there would be an implicit relation between granular attacks and the usage/occurrence of malicious domains. In this project, a platform is developed to explore and assess experimentally the ability of Snort in detecting malicious domains. The proposed approach extracts some useful indicators of compromise (IoC) from the granular Snort alerts triggered by web visits and leverage such information to establish whether the corresponding URLs are benign or malicious. The platform was built around a headless chrome browser and the pfSense open-source firewall which has a built-in Snort engine. The experimental evaluation, conducted using a public dataset of benign and malicious domains, yielded important insights into the strengths and limitations of Snort in detecting malicious domains, and helped identify directions for future improvements.