Towards understanding the lifecycle of malicious network infrastructure

Files
AVGETIDIS-DISSERTATION-2025.pdf (2.16 MB)
Author(s)
Avgetidis, Athanasios
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Series
Collections
Theses and Dissertations
Supplementary to:
Permanent Link
https://hdl.handle.net/1853/78717
Abstract
Network infrastructure is an important component of malicious cyber operations. From novice attacks conducted by script kiddies to highly sophisticated threats backed by nation-states, network infrastructure is being utilized for command and control, data exfiltration, malware hosting, and social engineering, among others. Over the years, while there have been several studies that have focused on detecting, blocking, and characterizing malicious infrastructure, the temporal dynamics of how this infrastructure changes over time and the characteristics of the stakeholders interacting with it have often been overlooked. This thesis shows that the temporal analysis of malicious infrastructure reveals network attributes that can characterize the stakeholders that interact with it. The systematic analysis of such network attributes can aid the accurate discovery of previously unreported malicious infrastructure and increase our awareness of the behaviors of the stakeholders that interact with it. Through longitudinal empirical studies and novel methodologies, this thesis demonstrates the importance of accounting for the temporal dynamics of malicious network infrastructure. Specifically, it introduces a novel methodology that accurately identifies historically utilized IP infrastructure from domain names of sophisticated threats, which expands the publicly reported IP knowledge by 3.06 times. It also showcases how the temporal analysis of malicious network infrastructure can help threat analysts and security practitioners better understand the quantitative distributions of the network interactions of the stakeholders (i.e., scanners, security vendors, victims, and threat actors). More precisely, this thesis pinpoints the minimum network log retention window for uncovering at least 90% of the infrastructure of sophisticated attacks down to 25 months and characterizes for the first time the lifecycle of network requests into malware-related domain names from the upper DNS hierarchy. These insights have applicable takeaways for log retention policies for network data and victim and infrastructure analysis studies using DNS datasets.
Sponsor
Date
2025-07-29
Extent
Resource Type
Text
Resource Subtype
Dissertation
Rights Statement
Rights URI