Network Operations and Internet Security @ UChicago

Network Security


Our research group tackles a variety of problems related to network security.  In 2005, we were developed the first network-level spam filtering algorithms.  Since that initial work, we have continued work on a variety of network security projects related to spams, scams, and message abuse.  More recently, we have been studying information manipulation attacks and user privacy on the Web.

Early Domain Name Reputation

The Internet’s domain name system (DNS) maps domain names to IP addresses.  Attackers who launch message abuse attacks (e.g., spam campaigns, phishing attacks) often misuse the DNS to direct victims to transient sites where content is temporarily hosted.  Identifying the reputation of a domain name can be useful for identifying attacks and protecting users from interacting with malicious domains.  Unfortunately, conventional approaches for establishing domain name reputation typically first require analyzing client lookup patterns to a particular domain, which is often too late, since these lookups may only result from users falling victim to an attack.

To solve these problems, we are developing mechanisms to establish early domain name reputation at registration time, before any lookups have taken place at all.  This work, in collaboration with ICSI and Verisign, has resulted in several patents at Verisign.

Propaganda in Twitter

The study identifies four characteristic behaviors of Twitter hyperadvocates, whose actions clearly separate them from the tweeting behavior of typical users. This work was led by Cristian Lumezanu and performed in collaboration with Associate Professor Hans Klein of Georgia Tech’s School of Public Policy.

The study examined tweets from two recent politically charged U.S. events: the 2010 U.S. Senate race in Nevada and the 2011 debate over raising the U.S. debt ceiling. Collecting tweets that used the hashtags #nvsen and #debtceiling, the researchers were able to gather approximately 80 percent of all tweets on those issues during the time frame under study. From a dataset of nearly 100,000 tweets for the two issues combined, Feamster and his colleagues identified the following behaviors that characterize propagandistic activities on Twitter by users on both sides of the partisan aisle:

1. Sending high volumes of tweets over short periods of time;
2. Retweeting while publishing little original content;
3. Quickly retweeting others’ content; and
4. Coordinating with other, seemingly unrelated users to send duplicate or near-duplicate messages on the same topic simultaneously.

Read more.

Dynamics of Online Scam Hosting Infrastructure

We study the dynamics of scam hosting infrastructure, with an emphasis on the role of fast-flux service networks. By monitoring changes in DNS records of over 350 distinct spam-advertised domains collected from URLs in 115,000 spam emails received at a large spam sinkhole, we measure the rates and locations of remapping DNS records, and
the rates at which “fresh” IP addresses are used. We find that, unlike the short-lived nature of the scams themselves, the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.


The data sets we gathered for the above study can be downloaded here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s