DNS Security in a Cloud Context 

DNS is one of the key protocols which can be abused by malware and intruders in various stages of the Cyber KILL chain: for network discovery and lateral movement across the victim network, for beaconing out to C2 to get the next set of instructions and as a covert channel for data exfiltration. The aim of this project is to analyze DNS request / response and logs to identify suspicious / malicious DNS activity at scale, ideally inline. The domain and IP analysis from DNS could involve correlating domains and IPs from DNS logs with OSINT and PDNS for known-bad IPs and domains, certificate analysis and fingerprinting to identify phony certificates, geolocation analysis to identify suspect locations and behavioral anomaly detection to identify suspicious behavior. With recent surge in attacks, especially ransomware on SMBs and enterprises alike, businesses are spending millions of dollars on cybersecurity both for building homegrown cybersecurity systems and teams and acquiring cybersecurity startups that can analyze logs at scale to identify breaches. Hence this is a timely project that involves elements from big data, AI / ML and behavioral analysis to secure a protocol that is abused in one or more ways by malware and attackers to compromise businesses and networks.

Arctic Wolf has identified some public data sets (logs) suitable for use in training an expert system, and can also show a team how to do dynamic log capture in real-time on standard Linux platforms.  A smaller team would do a bit less, while a larger one could tackle more dimensions of this challenge.


One of Abdul's goals is to recruit great students for internships or jobs.  But at this particular instant, he is also interested in using this cloud computing project to "vet" a Cornell research platform called Cascade for use in security settings.  With this in mind, the project will use Cascade to build real time log analytics system for multiple IP and domain analysis capabilities that can then be combined to determine if DNS activity is benign or malicious and the reason why . Also, the setup should not be super complicated.   Within the cloud computing course team, Alicia knows a lot about Cascade (she implemented part of it), and there is also a person named Weijia Song who can provide a bit of guidance if needed (he implemented the majority of the system).  In the very best case, we could write a small paper about this project; worst case, we would still all learn a ton about how to deploy Cascade in a scenario such as this one.


You need to contact Abdul Sattar to apply for this opportunity.

Unlike the majority of cloud computing projects, this DNS security project is mentored, and you need a certain level of comfort with systems programming and AI tools to be able to do it.  Not everyone would be able to take the project on (you would need background similar to what you might get in a Cornell 4xxx course on systems programming, or on security).  With this in mind, I'll be interviewing any candidates before selecting the team or teams I'm going to supervise, and I also plan to limit the number of people if somehow there is a ton of demand for this particular project.  Email to: Abdul Sattar.  Please include your CV as an attachment, using PDF format, and in your email itself, outline your interests and why this project is the ideal one for you!