Close X

VERISIGN LABS: PROJECTS

At Verisign Labs, research is not just for the sake of exploration, but to develop technologies that will play a significant role in the evolution of the Internet. Our research spans a wide range of technical disciplines and touches all of Verisign’s businesses.

Data centre wires

BITSQUATTING

Artem Dinaburg introduced the concept of "bitsquatting" (a neologism based on "typosquatting") in which domain names become changed due to errors in memory, storage, or data transmission.

Read more
Current Projects Past Projects

User Centric Dependency Analysis in Programs for Identifying Malicious Mobile Apps

Verisign is supporting Virginia Tech in developing an efficient approach to identify malware on Android devices.

With the ever-increasing usage of mobile devices, malware authors have a new target. According to the Anti-Phishing Working Group’s Trends Report, "…many of us use our mobile phones to check our bank account balances… [APWG] saw malware authors seeking to exploit this in 2011, and it could turn out to be an increasingly attractive attack vector in 2012…"

In this work, the researchers address the important problem of malware classification, that is, given an unknown program, how to determine whether or not it is malicious software. The novelty of the work is that the researchers take the approach of anomaly detection, as opposed to the conventional methods of identifying malware characteristics.

See more

Early Identification of Spam Campaigns with DNS Lookup Analysis

Verisign is collaborating with Georgia Tech to study how sudden changes in the domain name lookup patterns for various DNS mail exchange records may help identify spammers early in the lifecycle of a spam campaign.

Network operators have a strong interest in identifying spam behaviour early in a spam campaign, before a spammer can send large volumes of spam. Unfortunately, spammers tend to exhibit agility - the process of changing how they send spam, where they send it from, and where they host the sites that they would like victims to visit - which may make it more difficult to maintain an up-to-date, accurate characterisation of the entities that are engaging in spam behaviour at any given time. The research applies the exploration of DNS lookup dynamics to perform early identification of spam campaigns.

See more

DNS-based Authentication Named Entities (DANE)

A new approach being standardised in the Internet Engineering Task Force (IETF) in which certification credentials are verified by DNSSEC-enabled zones, rather than the CA model used today.

Our DANE work is aimed at understanding the extent of the “attack surface” for certificates when presented via a web browser, versus being published in DNS using the new DANE protocol.

See more

Bitsquatting: Observations on Checksum Errors in DNS queries

Artem Dinaburg introduced the concept of "bitsquatting" (a neologism based on "typosquatting") in which domain names become changed due to errors in memory, storage, or data transmission.

In this paper, we examine DNS queries received at authoritative servers run by Verisign to look for evidence of bit-level errors.

See more

Social Identity Management

Verisign is supporting research at Purdue University to identify online human behaviour trends related to online identity management within social groups across social networking sites.

These efforts are focused on identifying current online behaviour trends that work around the limitations of existing technologies in order to predict future trends for social networking technologies.

See more

Naming in the Future Internet

We are supporting research at Carnegie-Mellon University to advance the naming architecture with greater security, more explicit trust relationships between stakeholders and naming support for mobile users and network services.

Researchers are assessing different naming architectures, ways to separate naming-address translation from trust, support for mobile users and services, and protection against related black hole or man-in-the-middle attacks.

See more

Exploring Applications of Phonetic Edit Distance

Verisign is sponsoring research at the University of North Carolina on automated data analysis and automatic generation that uses distance metrics to represent the similarity between two values or objects.

In collaboration with researchers at Purdue University, we are investigating extensions to the current state-of-the-art intrusion detection systems by utilising publicly available social behaviour information of hackers.

See more

Detecting Threats via the Social Behaviour of Hackers

In collaboration with researchers at Purdue University, we are investigating extensions to the current state-of-the-art intrusion detection systems by utilising publicly available social behaviour information of hackers.

The researchers will study how social platforms can be leveraged to identify trends/outbreaks in security of deployed systems. They will utilise collective intelligence retrieval and activated knowledge-based decision making to create a system for proactive threat detection that relies on the social nature of hackers to help mitigate outbreaks before they reach end users. Rather than providing insights into merely integrating various ideas, this work intends to open a new general direction for understanding threats and adding a social element to the present day state-of-the-art intrusion detection systems.

See more

User Preferences in Domain Names

As the global registry operator for .com and .net, we are funding research at Purdue University to better understand users' preferences in choosing domain names.

The researchers will apply behavioural economic techniques to machine learning. Through the understanding of relevance, uniqueness and similarity in context in decisions about domain names, the research will help us build a cognitive map and quantitative representations of users' preferences and enhance our ability to analyse factors that influence consumer online purchasing behaviour.

See more

Resolver Behaviour Study

This study examines the behaviour of current DNS resolver implementations including various versions of BIND, Unbound, PowerDNS, djbdns and Microsoft Windows 2008.

In particular, we studied how recursive name servers choose among multiple authoritative servers for a given zone and their retransmission algorithms when under duress (i.e. packet loss and delay). We also simulated different networking conditions to see how different latencies can affect the resolver's server selection algorithm and impose simulated packet loss to understand the resolver's retransmit and backoff algorithms. These results may help make decisions about the right mix of anycast and unicast nameservers.

See more

Global Malware Identification and Analysis

We are sponsoring research at Georgia Tech to identify new and advanced techniques to acquire and analyse actionable intelligence about malware.

This research targets the challenges that malware obfuscation tools and malware’s dependence on network access present to collecting useful information about malware. The researchers at Georgia Tech Information Security Center (GTISC) have developed a horizontally scalable, automated malware analysis system that leverages isolation, hardware virtualisation and network analysis to better extract information about malware.

See more

Monitoring BGP and DNS Agility

Verisign is supporting research at Georgia Tech to develop a large-scale Internet monitoring system.

It will provide a more sophisticated understanding of the role of the Internet’s infrastructure in facilitating botnet attacks such as spam, scam hosting and denial-of-service attacks. Bots have exploited various Internet protocols such as the Border Gateway Protocol (BGP) and the Domain Name System (DNS) to move from one portion of the Internet to another. This monitoring infrastructure will identify key components of this underlying infrastructure, specifically autonomous systems that facilitate BGP agility and name servers and registrars that facilitate DNS agility. As a result, this system may provide cutting edge intelligence for reputation systems for both DNS hosting infrastructure and autonomous systems.

See more

Speeding up the HTTPS Handshake Using DNS

As the Internet continues to evolve, the SSL/TLS protocol is playing an increasingly important role in creating private and authenticated end-to-end connections and in preventing "helpful" proxies from tampering with traffic.

All indications suggest that the use of SSL/TLS will grow considerably in the coming years. SSL/TLS is currently designed as a two party protocol between a browser and a web server.

We are working with Stanford University on this project to investigate the possibility of adapting SSL/TLS to a three party protocol where the third party is a DNS server (preferably a DNSSEC server). Currently, the DNS server is used to resolve the web server's IP address, but plays no further role in setting up a secure session with the server. The main goal of this project is to show that by extending SSL/TLS to include DNS as a third party, the protocol can be made more efficient and in some cases more secure.

See more

Asymmetrical Multiprocessor (AMP) Software Systems

Current commodity hardware designs feature numerous cores running at a decreased frequency.

The existing ecosystems of tools to unlock the performance potential of the hardware have created gaps. Software environments which address the gaps and unlock the breadth and depth of the hardware need to be created. This project investigates the AMP design alternative as a means to provide the highest possible performance from the hardware.

See more

DNSSEC Debugger

The DNSSEC Debugger is a Web-based tool for ensuring that the "chain of trust" is intact for a particular DNSSEC enabled domain name.

The tool shows a step-by-step validation of a given domain name and highlights any problems found.

To use the tool, begin by visiting http://dnssec-debugger.verisignlabs.com and entering a domain name to be tested. The tool begins with a query to a root nameserver. It then follows the referrals to the authoritative nameserver, validating DNSSEC keys and signatures as it goes. Each step in the process is given either a good (green), warning (yellow), or error (red) status code. You can move your mouse over the warning and error icons to view a longer explanation. Press the plus (+) and minus (-) keys to increase or decrease debugging. At the highest debugging level you can see the full, raw DNS messages for almost all of the queries.

Here's some sample output from the tool for the whitehouse.gov domain:

DNS Debugging
See more

Measuring the IPv4 to IPv6 Transition

We are working with researchers at the University of Michigan to gain insight into the Internet’s ongoing transition from IPv4 to IPv6.

We estimate IANA will allocate the last /8s within the next year and the first RIR will exhaust all its IPv4 space shortly thereafter. As a result, we hypothesise that the scarcity of IPv4 addresses, as the result of this so-called "IPv4 exhaustion" will have profound effects on several of the desirable properties of the Internet. These impacted properties include, but are not limited to: support for heterogeneity and openness, security, scalability, reliability, availability, concurrency and transparency. In an effort to understand the impact of scarcity on these desirable properties, we plan to study those techniques and methodologies by which addresses are allocated and how these resources are subsequently used. While no fully formed scarcity models for IPv4 addresses exist, we do conclude that several interesting phenomenon warrant study: rate of transition to IPv6, increased use of NAT’ing, finer grained routing, deallocation and block reclamation in addition to market-based address allocation. For the sake of tractability, this proposal focuses on measuring the transition from IPv4 to the IPv6 space. We are specifically concerned with questions which shed light on adoption rates and eventual usage patterns in IPv6. While interesting from a modelling and characterisation perspective, we also believe this work has significant impact on operations, assisting in uncovering inconsistencies as we transition as well as supporting capacity planning and optimisation.

See more

Robustness of DNS Infrastructure

In collaboration with researchers at UCLA, we aim to understand the resiliency of DNS service as a whole by measuring the inter-dependency of different zones.

Such inter-dependency can be introduced by large numbers of authoritative DNS servers being placed at the same location (e.g. either in the same geographic area or in the same ISP network), or more commonly by the increased trend of DNS server outsourcing which has led to the concentration of DNS services of a large number of zones on a few DNS service providers. Consequently, a single failure can potentially bring down the DNS servers for a large number of domains.

See more

Characterising Malicious Domains

Is it possible to develop blacklisting techniques for domain names used for malicious activities based on DNS query patterns?

We examine domain names that are known to be used for phishing attacks, spam and malware related activities to determine if they can be identified based on DNS query patterns. To date, we have found that malicious domain names tend to exhibit more variance in the networks that look up the domains and we also found that these domains become popular faster after their initial registration time. We also noted that miscreant domains exhibit distinct clusters relating to the networks that look up these domains. The distinct spatial and temporal characteristics of these domains, and their tendency to exhibit similar lookup behaviour suggests that it may be possible to develop more effective and timely blacklisting techniques based on these differing lookup patterns.

See more

DNSSEC Interoperability Lab

Verisign Labs has established a DNSSEC Interoperability Lab in Dulles, VA to test compatibility of IT solutions with our implementation of DNSSEC for the .com and .net TLDs.

DNSSEC adds new security features to the DNS protocol that prevent attacks such as cache poisoning. Since DNSSEC packets are different in size and structure from traditional DNS packets, some IT infrastructure components like routers and firewalls may not handle DNSSEC requests and responses correctly, causing failures in the Internet infrastructure and in enterprise computing environments.

The Interoperability Lab consists of a standalone environment with a suite of over 8,000 test cases for a wide range of possible failures. The Interoperability Lab is a free service that Verisign Labs offers to the community for testing a wide range of IT solutions. If you would like more information please contact us at dnssec@verisign.com.

See more

DNS Server Affinity

A tool for visualising the traffic patterns between DNS clients and servers, including sample data from the Root name servers.

The DNS client/server affinity visualisation tool sheds new light on the complexities of DNS traffic. Within this OpenGL-based application, DNS clients are represented as dots of varying size and colour. Servers are placed in three-dimensional space. Each time a client sends a DNS query to a particular server, it moves a little bit closer to that server. The size and colour of a client is determined by its query rate.

The visualisation is useful for understanding how clients behave when choosing among multiple authoritative nameservers, such as the 13 root nameservers. Many clients do not exhibit strong affinity and will not wander close to any particular server. Some clients, on the other hand, are clearly seen favouring a particular server.

The tool is equally useful for visualising the behaviour of BGP routing within an anycast cluster. The sample data for A-root on 9 February 2010 shows how clients migrate from one anycast node to another as routes are withdrawn and replaced over time.

The source code for the visualisation tool is located on Verisign Labs Subversion server. This can be accessed via a Web browser or a Subversion client.

See more

Social Identity Management

Verisign is supporting research at Purdue University to identify online human behaviour trends related to online identity management within social groups across social networking sites.

These efforts are focused on identifying current online behaviour trends that work around the limitations of existing technologies in order to predict future trends for social networking technologies.

See more

Encryption on Intel Westmere

The 45 nm to 32 nm Die Shrink of the Intel Xeon product line “Westmere” introduces AES-NI SIMD class instructions, which can be used to greatly accelerate the performance of cryptographic operations.

The AES-NI “combinatorial logic” replaces the software-based table lookup of the FIPS 197 AES symmetric encryption standard. This project builds upon instructions AESENC, AESENCLAST, AESDEC, AESDECLAST, CLMUL, AESIMC and AESKEYGENASSIST to perform 10 (128 Bit), 12 (192 Bit) and 14 (256 Bit) rounds. The project continues to verify the durability of side channel attack protection and the ability to use the building blocks to accelerate Elliptic, ECHO, SHAVITE-3, etc. Additional design points include, but are not limited to, using pipelined combinatorial logic operations for other applications, full disk encryption and interoperability with other projects such as OpenSSL. If AES-NI introduces durable cryptographic performance within the network stall cycle of the computer, how can and should this change the consumer Internet experience? Can these instructions replace expensive cryptographic co-processor cards? This research will be re-conducted upon the introduction of the Intel “Sandy Bridge” AVX CPU to evaluate new hardware features implemented.

See more

GPU Computing

Significant advances in GPU (Graphics Processor Unit) technology may be leveraged by Verisign to enhance our services.

Although the newly introduced devices share the same name as their legacy counterparts, the number of threads and interconnected hardware structures has vastly improved along with the introduction of integer capability. What are the integer and floating point characteristics of the new units? Can they be introduced into highly available architectures? Can a client server ‘like’ computing model be successfully re-implemented using a GPU on a server? What are the characteristics of programming in OpenCL verses CUDA?

See more