Image from Fig 1 in “Detection and Threat Prioritization of Pivoting Attacks in Large Networks”

In this short blog, I share six papers that focus on detecting malicious lateral movement (a.k.a. pivoting, a.k.a. island hopping).

(Update 2021–06–06: Added 2 more recent lateral movement papers)


Lastly, if you’re interested in discovering more interesting papers like these, use the method I outlined here.


The “short links” format was inspired by O’Reilly’s Four Short Links series.

This was originally posted on my personal blog on 2021–05–30.

Image from paper: “Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffic”, referenced below.

In this short blog, I share seven papers that focus on detecting Dictionary Domain Generation Algorithm (DGA) domains, A.K.A. Word-based DGAs. Dictionary DGAs are algorithms seen in various malware families (suppobox, matsnu, gozi, rovnix, etc.) that are used to periodically generate a large number of domain names that use pseudo-randomly concatenated words from a dictionary. These domains may appear legitimate at first glance and are often able to evade blacklisting as well as traditional DGA detections based on entropy or counts of consonants vs vowels. Below are a small sample of rovnix domains from Unit42’s blogpost.

  • kingwhichtotallyadminis[.]biz
  • thareplunjudiciary[.]net
  • townsunalienable[.]net
  • taxeslawsmockhigh[.]net

A short listing of cyber security data science research papers I’ve discovered recently. Each of them uses machine learning or enables ML (i.e. providing training data or enabling creation of training data) to solve various security use-cases, and many provide open source code as well.

In this post we explore a large collection of Sender Policy Framework (SPF) records to see what they might tell us about global email sending trust relationships and how they relate to email security providers. This is a fast follow-up to my previous post on Mining DNS MX Records for Fun and Profit.

Here is the methodology I devised for this (very similar to the previous post, but with new custom built tools):

  1. Collect a large sample of SPF records via DNS TXT lookups of popular domain names (and recursively resolving SPF “include” domains).
  2. Enrich SPF records with IP intelligence…

Attempting to use DNS MX records to map the global Email Security Provider landscape.

If you have read my blog before, you may realize that I really love DNS data and dns analytics. In this post, I share some experiences in using mostly DNS data for identifying the visible footprint of popular email security providers.

This may not be terribly novel, but it was an interesting exploration during a time of boredom for me. This work was initially motivated by two events:

  1. When the Proofpoint email protection machine learning vulnerability (CVE-2019–20634) was announced by Will Pearce and Nick Landers I got to wondering about how large their deployment footprint was and how one could…

In this post, I share my experience in building and maintaining large collections of benign IOCs (whitelists) for Threat Intelligence and Machine Learning Research.

Whitelisting is a useful concept in Threat Intelligence correlation since it can be very easy for benign observables to make their way into threat intelligence indicator feeds, esp. coming from open source providers or vendors that are not as careful as they should be. If these threat intelligence feeds are used for blocking (e.g. in firewalls or WAF devices) or alerting (e.g. log correlation in SIEM or IDS), the cost of benign entries making their way…

A short listing of resources useful for creating malware training sets for machine learning.

In leading academic and industry research on malware detection, it is common to use variations of the following techniques (based on Virustotal determinations) in order to build labeled training data.

  • “In this paper, we use a ‘1-/5+ criterion for labeling a given file as malicious or benign: if a file has one or fewer vendors reporting it as malicious, we label the file as ‘benign’”. See ALOHA: Auxiliary Loss Optimization for Hypothesis Augmentation for more details.
  • “We assign malicious/benign labels on a 5+/1- basis, i.e., documents…

A short listing of research papers I’ve read that analyze popular domain lists. These papers analyze Alexa, Quantcast, Cisco Umbrella, and Majestic top websites/domains.


The “short links” format was inspired by O’Reilly’s Four Short Links series.

Jason Trost

Interests: Network security, Digital Forensics, Machine Learning, Big Data. retweets are not endorsements.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store