Network Security Detection With Data Analytics (PREDATOR)

Transcription

1 CIS-601 Graduate Seminar Network Security Detection With Data Analytics (PREDATOR) PRESENTED BY :RAJAN SHARMA CSU ID: GUIDED BY : Dr. SUNNIE CHUNG

2 Overview Introduction Feature Extraction and Machine Learning Classifier Design Evaluation and Evasion Robustness Conclusion

3 Domain Name Server (DNS) Introduction DNS Abuse DNS Blacklist DNS Reputation PREDATOR

4 PREDATOR Proactive Recognition and Elimination Of Domain Abuse at Time-of- Registration A proactive reputation system that can accurately and automatically identify malicious DNS domains. Network Operator can Take appropriate action to save their network. Helps in Anomaly Detection, Security and Malware mitigation.

5 PREDATOR Abusive registration have distinguish property 1. Common name server, registrars, domain reuse. 2. Textual similar domain name

6 PREDATOR Identifying and encoding 22 features that help distinguish domain registration behaviors characteristics of abuse from legitimate registration behavior. Applying supervised learning algorithm and implement a prototype version of proactive time of registration Five months of logs of second level.com and.net registration

7 BACKGROUND The Registration process of second level domains involves 3 participants 1. Registrants 2. Registrars 3. Registries

8 Background Registrant applies online to registrars, which is an organization accredited by ICANN to contract with registries to sell domains. ICANN is Internet Corporation for Assigned Names and Numbers which is responsible for coordinating the maintenance and procedures of several databases related to the name space of the internet.

9 SPAMMER DOMAIN There are various characteristics of spammer and spammer domain 1. Domain registers occur in burst 2. Domain registered together are often at similar stages in the Domain life cycle. 3. Domain register together may be similar to one another.

10 OBSERVATIONS Domain registered in 5 minutes of intervals, Blacklisted domain are malicious and in interval between 10 to 11 there are highest numbers of registration. Spammers are Lazy.

11 OBSERVATIONS Five-minute epoch (EDT) Spammer domains Brand-new Retread All domain s The registration spikes during 10:15-10:30AM are retread 10:15 10:20AM :20 10:25AM :25 10:30AM The registration spikes during 12:35-1:15PM which means they are Brand new Spammers are Parasitic: Domain Reuse 12:35 12:40PM :10 1:15PM

12 OBSERVATIONS Domains (highlight common strings) Blacklist delay asklenderhome.com askhomelendersnow.com asklendershome.com askhomeslender.com askhomelender.com askhomelenders.com asklendertoday.com financilsart.com financilss.com financilsssky.com 122 days 92 days 51 days 32 days 24 days 12 days 6 days 5 days 71 days 19 days Spammers are unimaginative: Common Substring Registration batches contain repeated strings Repeated strings reflect campaign theme financilsspro.com 18 days financilspro.com 17 days financilssart.com 9 days financilssky.com 7 days strokecarebeat.com 65 days strokecaregreen.com 14 days strokesoft.com 11 days

13 RAW DATA Updates to.com and.net zones from VeriSign I. Includes registrars, registration history II. Doesn t include registrants and domain IP address Registrars would have more data available Much similar data available publicly like Domain Name, name server, Whois

14 PREDATOR ARCHITECTURE DNZA: Domain name zone alert this file contain changes to the zone like addition of new domain, removal of existing domain, Changes to associated name server.

15 FEATURE EXTRACTION Domain Profile Feature I. Data from the registration event like registrar, nameserver, character trigram etc II. Includes edit distance to know bad domains insertion: abcdef abchdef deletion: abchdef abcdef Substitution: abcdef abhdef Registration History I. Data from previous registration like previous registrar, re-registration latency etc. II. Separate use into drop-catch and retreated Batch Correlation I. Data from registrations in the same time interval like batch size rate and time of reuse

16 Domain profile Registration history Batch correlation FEATURE EXTRACTION Category Feature Type New? Registrar Categ. Authoritative nameservers Categ. IP addresses of nameservers Categ. ASes of nameserver IP addresses Categ. Daily hour of registration Categ. Week day of registration Categ. Ord. Length of registration period Trigrams in domain name Categ. [13, 20] [13, 20] Ratio of the longest English word Cont. [20] Containing digits Categ. 3 Containing Categ. 3 Name length Ord. 3 Edit distances to known-bad domains Cont. 3 Life cycle Dormancy period for re-registration Previous registrar Categ. Ord. Categ. 3 Re-registration from same registrar Categ. 3 Probability of batch size Brand-new proportion Drop-catch proportion Retread proportion Cont. Cont. Cont. Cont Name cohesiveness Cont. 3 [20] [20] [20]

17 Feature Vectorization Ordinal : Discrete values (integer) Continuous: real values Categorical: Unordered discreate value Where Ordinal and continuous value are normalized

18 CLASSIFIER DESIGN Supervised learning CPM Convex Polytope Machine combines multiple linear models Result in expressive non-linear surface Non linear decision boundary CPM maintain an ensemble of linear classifier Helps achieve higher detection rate in lower false positive value

19 EVALUATION AND ROBUSTNESS Data Set profile 5 month of data from.com and.net TLDS Label by spamhaus, URIBL and private spam trap

20 Experimental Design Evaluation Simulates passage of time

21 DETECTION PERFOMANCE False positive(%)

22 PERFOMANCE Dataset has 80,000 domains daily,1700 spams 70% detection yield 1190 spam domain daily 0.35% false positive yields 280 domain daily Detect 1000 unlabeled domain daily 74% of unlabeled domains show spam activity

23 DETECTION LATENCY

24 EVASION ROBUSTNESS

25 EVASION ROBUSTNESS

26 PREDATOR KEY RESULT We obtain70% coverage at 0.35% false Positive rate. Robustness against adversarial evasion.

27 CONCLUSION PREDATOR can accurately establish domain reputation at the time of domain registration, before domains ever see use in attacks. Our results show that PREDATOR can provide more accurate and earlier detection compared to existing blacklists, and significantly reduce the number of suspicious domains requiring more resource-intensive or time-consuming inspection.