PhD Defence by Martin Fejrskov Andersen


04.07.2022 kl. 13.00 - 16.00


Detecting malware and cyber attacks using ISP data

Internet Service Providers can access their subscribers' IP traffic and various other data, such as information about the device type used, the approximate geographical location of a subscriber, and contact information for the subscriber. This data seems attractive to use for a number of use cases, such as malware and cyber-attack detection. However, as the data can also be used for much less honorable purposes, ISP data is subject to strict regulatory requirements in the European Union. In a collection of papers, this thesis expands the current state of the art by describing which data is technically and legally available to ISPs in the European Union, how the regulatory requirements on anonymization can be implemented, and by presenting a number of novel use cases for anonymized NetFlow and DNS data. Specifically, the thesis explores the impact of applying DNS-based blacklists at an ISP scale, estimates the prevalence of and reason for the use of 3rd party DNS resolvers, and describes a novel method to determine whether a 3rd party DNS resolver is malicious. Also, a botnet Command and Control scheme that uses format-preserving encryption of IP addresses to provide an alternative to existing Fast Flux techniques is proposed. The overall conclusion of the thesis is that the anonymization requirements reduce the applicability of using ISP data for cyber security purposes significantly, although such data can be valuable when more specific use cases that are primarily applicable in an ISP context are considered. While this conclusion is positive from a privacy point of view, it can still be debated whether the legislation provides the right balance between privacy and cyber security.

Assessment Committee
Professor Hans-Peter Schwefel, Aalborg University, Denmark (chairman)
Associate Professor Joao Gondim, University of Brasilia, Brazil
Professor Albert Cabellos, Universitat Politècnica de Catalunya, Spain

Professor Jens Myrup Pedersen, Aalborg University, Denmark

Per Olsen, Chief Security Officer, Telenor
Associate Professor Emmanouil Vasilomanolakis, Technical University of Denmark

Associate Professor Tatiana Kozlova Madsen, Aalborg University, Denmark

How to participate
The PhD defence will be carried out in hybrid format, meaning you can join on location or online.

Online via this link: Microsoft TEAMS
Video ID: 128 246 513 3

After the defence there will be a reception outside the auditorium.


Free of charge


Communication, Media and Information Technologies, Department of Electronic Systems


Aalborg University, Niels Jernes Vej 14, Auditorium 4-111