Phoenix: DGA-Based Botnet Tracking and Intelligence

Abstract. Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Given the prevalence of this mechanism, recent work has focused on the anal-ysis of DNS traffic to recognize botnets based on their DGAs. While previous work has concentrated on detection, we focus on supporting intelligence operations. We propose Phoenix, a mechanism that, in ad-dition to telling DGA- and non-DGA-generated domains apart using a combination of string and IP-based features, characterizes the DGAs behind them, and, most importantly, finds groups of DGA-generated domains that are representative of the respective botnets. As a result, Phoenix can associate previously unknown DGA-generated domains to these groups, and produce novel knowledge about the evolving behavior of each tracked botnet. We evaluated Phoenix on 1,153,516 domains, in-cluding DGA-generated domains from modern, well-known botnets: with-out supervision, it correctly distinguished DGA- vs. non-DGA-generated domains in 94.8 percent of the cases, characterized families of domains that belonged to distinct DGAs, and helped researchers “on the field” in gathering intelligence on suspicious domains to identify the correct botnet.

Analyzing the Real-World Applicability of DGA Classifiers

Separating benign domains from domains generated by DGAs with the help of a binary classifier is a well-studied problem for which promising performance results have been published. The corresponding multiclass task of determining the exact DGA that generated a domain enabling targeted remediation measures is less well studied. Selecting the most promising classifier for these tasks in practice raises a number of questions that have not been addressed in prior work so far. These include the questions on which traffic to train in which network and when, just as well as how to assess robustness against adversarial attacks. Moreover, it is unclear which features lead a classifier to a decision and whether the classifiers are real-time capable. In this paper, we address these issues and thus contribute to bringing DGA detection classifiers closer to practical use. In this context, we propose one novel classifier based on residual neural networks for each of the two tasks and extensively evaluate them as well as previously proposed classifiers in a unified setting. We not only evaluate their classification performance but also compare them with respect to explainability, robustness, and training and classification speed. Finally, we show that our newly proposed binary classifier generalizes well to other networks, is time-robust, and able to identify previously unknown DGAs.Comment: Accepted at The 15th International Conference on Availability, Reliability and Security (ARES 2020

Sex differences in the efficacy and safety of SARS-CoV-2 vaccination in residents of long-term care facilities: insights from the GeroCovid Vax study

Despite the reported sex-related variations in the immune response to vaccination, whether the effects of SARS-CoV-2 vaccination differ by sex is still under debate, especially considering old vulnerable individuals, such as long-term care facilities (LTCFs) residents. This study aimed to evaluate COVID-19 infections, adverse events, and humoral response after vaccination in a sample of LTCF residents. A total of 3259 LTCF residents (71% females; mean age: 83.4 +/- 9.2 years) were enrolled in the Italian-based multicenter GeroCovid Vax study. We recorded the adverse effects occurring during the 7 days after vaccine doses and COVID-19 cases over 12 months post-vaccination. In a subsample of 524 residents (69% females), pre- and post-vaccination SARS-CoV-2 trimeric S immunoglobulin G (Anti-S-IgG) were measured through chemiluminescent assays at different time points. Only 12.1% of vaccinated residents got COVID-19 during the follow-up, without any sex differences. Female residents were more likely to have local adverse effects after the first dose (13.3% vs. 10.2%, p = 0.018). No other sex differences in systemic adverse effects and for the following doses were recorded, as well as in anti-S-IgG titer over time. Among the factors modifying the 12-month anti-S-IgG titers, mobility limitations and depressive disorder were more likely to be associated with higher and lower levels in the antibody response, respectively; a significantly lower antibody titer was observed in males with cardiovascular diseases and in females with diabetes or cognitive disorders. The study suggests that, among LTCF residents, SARS-CoV-2 vaccination was effective regardless of sex, yet sex-specific comorbidities influenced the antibody response. Local adverse reactions were more common in females

Interferon regulatory factor 8-deficiency determines massive neutrophil recruitment but T cell defect in fast growing granulomas during tuberculosis

Following Mycobacterium tuberculosis (Mtb) infection, immune cell recruitment in lungs is pivotal in establishing protective immunity through granuloma formation and neogenesis of lymphoid structures (LS). Interferon regulatory factor-8 (IRF-8) plays an important role in host defense against Mtb, although the mechanisms driving anti-mycobacterial immunity remain unclear. In this study, IRF-8 deficient mice (IRF-8−/−) were aerogenously infected with a low-dose Mtb Erdman virulent strain and the course of infection was compared with that induced in wild-type (WT-B6) counterparts. Tuberculosis (TB) progression was examined in both groups using pathological, microbiological and immunological parameters. Following Mtb exposure, the bacterial load in lungs and spleens progressed comparably in the two groups for two weeks, after which IRF-8−/− mice developed a fatal acute TB whereas in WT-B6 the disease reached a chronic stage. In lungs of IRF-8−/−, uncontrolled growth of pulmonary granulomas and impaired development of LS were observed, associated with unbalanced homeostatic chemokines, progressive loss of infiltrating T lymphocytes and massive prevalence of neutrophils at late infection stages. Our data define IRF-8 as an essential factor for the maintenance of proper immune cell recruitment in granulomas and LS required to restrain Mtb infection. Moreover, IRF-8−/− mice, relying on a common human and mouse genetic mutation linked to susceptibility/severity of mycobacterial diseases, represent a valuable model of acute TB for comparative studies with chronically-infected congenic WT-B6 for dissecting protective and pathological immune reactions

The bnt162b2 vaccine induces humoral and cellular immune memory to sars-cov-2 Wuhan strain and the Omicron variant in children 5 to 11 years of age

SARS-CoV-2 mRNA vaccines prevent severe COVID-19 by generating immune memory, comprising specific antibodies and memory B and T cells. Although children are at low risk of severe COVID-19, the spreading of highly transmissible variants has led to increasing in COVID-19 cases and hospitalizations also in the youngest, but vaccine coverage remains low. Immunogenicity to mRNA vaccines has not been extensively studied in children 5 to 11 years old. In particular, cellular immunity to the wild-type strain (Wuhan) and the cross-reactive response to the Omicron variant of concern has not been investigated. We assessed the humoral and cellular immune response to the SARS-CoV-2 BNT162b2 vaccine in 27 healthy children. We demonstrated that vaccination induced a potent humoral and cellular immune response in all vaccinees. By using spike-specific memory B cells as a measurable imprint of a previous infection, we found that 50% of the children had signs of a past, undiagnosed infection before vaccination. Children with pre-existent immune memory generated significantly increased levels of specific antibodies, and memory T and B cells, directed against not only the wild type virus but also the omicron variant

Evaluation of humoral and cellular response to four vaccines against COVID-19 in different age groups: A longitudinal study

To date there has been limited head-to-head evaluation of immune responses to different types of COVID-19 vaccines. A real-world population-based longitudinal study was designed with the aim to define the magnitude and duration of immunity induced by each of four different COVID-19 vaccines available in Italy at the time of this study. Overall, 2497 individuals were enrolled at time of their first vaccination (T0). Vaccine-specific antibody responses induced over time by Comirnaty, Spikevax, Vaxzevria, Janssen Ad26.COV2.S and heterologous vaccination were compared up to six months after immunization. On a subset of Comirnaty vaccinees, serology data were correlated with the ability to neutralize a reference SARS-CoV-2 B strain, as well as Delta AY.4 and Omicron BA.1. The frequency of SARS-CoV-2-specific CD4+ T cells, CD8+ T cells, and memory B cells induced by the four different vaccines was assessed six months after the immunization. We found that mRNA vaccines are stronger inducer of anti-Spike IgG and B-memory cell responses. Humoral immune responses are lower in frail elderly subjects. Neutralization of the Delta AY.4 and Omicron BA.1 variants is severely impaired, especially in older individuals. Most vaccinees display a vaccine-specific T-cell memory six months after the vaccination. By describing the immunological response during the first phase of COVID-19 vaccination campaign in different cohorts and considering several aspects of the immunological response, this study allowed to collect key information that could facilitate the implementation of effective prevention and control measures against SARS-CoV-2

Methodology Based on Vector and Scalar Measurement of Traffic Channel Power Levels to Assess Maximum Exposure to Electromagnetic Radiation Generated by 5G NR Systems

Maximum-Power Extrapolation (MPE) for mobile telecommunication sources follows an established paradigm based on the identification and measurement of a channel that acts as a power reference. Prior to the 5G era, the role of reference channel has been played by always-on broadcast signals since they had the great advantage of being always transmitted at the maximum power level allowed for a generic signal channel. However, the beamforming implemented by 5G sources obliges us to rethink this approach. In fact, with beamforming the 5G source can transmit data traffic streams through a beam characterized by a much higher gain than the broadcast one. This implies that the detected power for traffic beams could be much higher than the corresponding power of broadcast beams. In this paper, a novel approach for 5G MPE procedure is presented, where the direct measurement of the received power of a traffic beam is used to assess the maximum exposure generated by a 5G system. An innovative specific experimental setup is also proposed, with the use of a User Equipment (UE) with the aim of forcing the traffic beam toward the measurement positions. In this way, it is possible to directly measure the power of each Resource Element (RE) transmitted by the traffic beam. As opposed to other MPE proposals for 5G, the discussed technique does not require any correction of the measured data since it relies only on the traffic beam pointing toward the measurement position, simplifying the overall MPE procedure and thus reducing the uncertainty of the MPE estimated field strength

Efficacy and safety of reparixin in patients with severe covid-19 Pneumonia. A phase 3, randomized, double-blind placebo-controlled study

Introduction: Polymorphonuclear cell influx into the interstitial and bronchoalveolar spaces is a cardinal feature of severe coronavirus disease 2019 (COVID-19), principally mediated by interleukin-8 (IL-8). We sought to determine whether reparixin, a novel IL-8 pathway inhibitor, could reduce disease progression in patients hospitalized with severe COVID-19 pneumonia. Methods: In this Phase 3, randomized, double-blind, placebo-controlled, multicenter study, hospitalized adult patients with severe COVID-19 pneumonia were randomized 2:1 to receive oral reparixin 1200 mg three times daily or placebo for up to 21 days or until hospital discharge. The primary endpoint was the proportion of patients alive and free of respiratory failure at Day 28, with key secondary endpoints being the proportion of patients free of respiratory failure at Day 60, incidence of intensive care unit (ICU) admission by Day 28 and time to recovery by Day 28. Results: Of 279 patients randomized, 182 received at least one dose of reparixin and 88 received placebo. The proportion of patients alive and free of respiratory failure at Day 28 was similar in the two groups {83.5% versus 80.7%; odds ratio 1.63 [95% confidence interval (CI) 0.75, 3.51]; p = 0.216}. There were no statistically significant differences in the key secondary endpoints, but a numerically higher proportion of patients in the reparixin group were alive and free of respiratory failure at Day 60 (88.7% versus 84.6%; p = 0.195), fewer required ICU admissions by Day 28 (15.8% versus 21.7%; p = 0.168), and a higher proportion recovered by Day 28 compared with placebo (81.6% versus 74.9%; p = 0.167). Fewer patients experienced adverse events with reparixin than placebo (45.6% versus 54.5%), most mild or moderate intensity and not related to study treatment. Conclusions: This trial did not meet the primary efficacy endpoints, yet reparixin showed a trend toward limiting disease progression as an add-on therapy in COVID-19 severe pneumonia and was well tolerated. Trial registration: ClinicalTrials.gov: NCT04878055, EudraCT: 2020-005919-51

Finding, Characterizing and Tracking Domain Generation Algorithms from Passive DNS Monitoring

A botnet is a network of compromised machines (bots) under the control a an entity (the botmaster), which uses them to perform illegal activities. Modern botnets rely on domain generation algorithms (DGAs) to build resilient command-and-control (C&C) infrastructures. Recently, researchers proposed approaches to recognize automatically-generated domains from domain name system (DNS) traffic to infiltrate into such C&C infrastructures and cause the masters to lose control of their bots. Unfortunately, such approaches require access to DNS sensors whose deployment poses practical issues that render their adoption problematic. Instead, we propose a novel way to combine publicly-available and privacy-preserving databases of historical DNS traffic together with linguistic-based models of the suspicious domains. From this, we find automatically-generated domain names, characterize the generation algorithms, isolate logical groups of domains that represent the respective botnets, and produce novel knowledge about the evolving behavior of each tracked botnet. We evaluated our approach on millions of real-world domains. Overall, it correctly flags 81.4 to 94.8% of the domains as being automatically generated. More important, it isolates families of domains that belong to different DGAs. We were also able to verify the validity of our findings against live botnets (e.g., Conficker.B)