DNS Abuse and Active Authentication: Applications of Machine Learning in Cyber Security

In today’s digital world, cyber security is essential for a fair and well-functioning society. People, as well as companies and governments must be able to trust their computers, mobile devices and the services they use from companies and governments.

An important element of cyber security is the fight against cyber crime. This fight has surpassed the deployment of ‘passive infrastructure’ such as firewalls and access control systems into an arms race between cyber criminals and cyber security practitioners. In this arms race, cyber security can benefit from the evolutions in machine learning to detect and prevent cyber criminal activity as well as to strengthen the authentication systems protecting users and assets.
In this dissertation, we explore the benefits of machine learning for cyber security in two quite distinct domains: that of preventing abuse of the Internet domain name system and in the field of Active Authentication for improving user authentication.

In our work related to the abuse of the domain name system, we present Premadoma: a system employing machine learning to predict malicious domain name registrations already at the time of registration. It was successfully deployed at EURid vzw, the .eu top level domain registry, where it contributed to the takedown of 58,966 malicious domain names in 2018 and resulted in an impressive reduction in malicious domain name registrations at this registry. Furthermore, we compared two different state-of-the-art methods for detecting algorithmically generated domain names, such as used by botnets for contacting their command and control server. We show that a deep learning based detection approach outperforms traditional machine learning and present a new domain generation algorithm to demonstrate that knowledge of manually engineered feature sets such as used by traditional machine learning systems can be abused to evade detection.

In our work related to Active Authentication, we show that even a very simple feature, such as the mobile phone battery charge level can contribute to active authentication, but that it is imperative to use realistic attacker models in order to obtain valid performance figures. We look at photopletysmography as an anti spoofing technique in face authentication, showing that also in this domain, the lack of good attacker models can result in a weak anti-spoofing system. We propose a novel photopletysmography-based system which has a stronger resilience against spoofing. Finally, we look at the field of face authentication anti-spoofing in general, showing that the methods used in this field sometimes hinder security and we accordingly formulate a number of recommendations.
In this dissertation, we demonstrate that machine learning has valuable tools to offer for the detection and prevention of cyber criminal activities as well as for strengthening the protection offered by authentication systems. In both areas, we observe that knowledge of the attacker is important and that utilization of adversarial techniques can be beneficial for cyber security.