Discovering new malicious domains using DNS and big data Case study: Fast Flux domains. Dhia Mahjoub OpenDNS May 25 th, 2013

Similar documents
Naming in Distributed Systems

A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION

TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection

Detecting Malicious Activity with DNS Backscatter Kensuke Fukuda John Heidemann Proc. of ACM IMC '15, pp , 2015.

Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience. Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver

Chapter 2 Malicious Networks for DDoS Attacks

Your Reputa+on Precedes You Friday, 7 th October 9:30-10:00am. 10/13/11 Copyright 2010 Damballa, Inc. All Rights Reserved Worldwide.

Detecting Malicious Web Links and Identifying Their Attack Types

Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science

DNS Anomaly Detection

Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure

John Munro / Jason Trost / FlonCon 2013 January 7 10 Albuquerque, New Mexico

DNSSM: A Large Scale Passive DNS Security Monitoring Framework

Detecting bots using multilevel traffic analysis

Detecting DGA Malware Traffic Through Behavioral Models. Erquiaga, María José Catania, Carlos García, Sebastían

Botnet Communication Topologies

DNS Security. Ch 1: The Importance of DNS Security. Updated

Security Gap Analysis: Aggregrated Results

Real-Time Detection of Fast Flux Service Networks

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

Regular Paper Classification Method of Unknown Web Sites Based on Distribution Information of Malicious IP addresses

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Detecting malware even when it is encrypted

Bots Combine! : Behind the Modern Botnet. Andrea Sept 1, 2017

The Comparative Study of Machine Learning Algorithms in Text Data Classification*

Intrusion Detection System using AI and Machine Learning Algorithm

Botnet Detection Based On Machine Learning Techniques Using DNS Query Data

Luminous: Bringing Big(ger) Data to the Fight

BOTNET-GENERATED SPAM

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Exploring the ecosystem of malicious domain registrations in the.eu TLD

Facebook Immune System 人人安全中心姚海阔

Automating Security Response based on Internet Reputation

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

(Botnets and Malware) The Zbot attack. Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth

8.3.4 The Four-Transistor (4-T) Cell

@Pentaho #BigDataWebSeries

Tracking Evil with Passive DNS

Detecting Malicious Web Links and Identifying Their Attack Types

P2P Botnet Detection through Malicious Fast Flux Network Identification

BotGraph: Large Scale Spamming Botnet Detec5on

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

ECLT 5810 Evaluation of Classification Quality

Intelligent Cyber Security for Real World

Choose Your Battles How To Fight The Right Wars. Eyal Paz, Security Researcher

Guilt by Association-based Discovery of Botnet Footprints

OpenDNS DNS Database Client Library Documentation

Protection - Before, During And After Attack

Network Security Detection With Data Analytics (PREDATOR)

An Introduction to Monitoring Encrypted Network Traffic with "Joy"

Multidimensional Investigation of Source Port 0 Probing

DNS Authentication-as-a-Service Preventing Amplification Attacks

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Analyzing and Modeling Longitudinal Security Data: Promises and Pitfalls. Benjamin Edwards, Steven Hofmeyr, Stephanie Forrest, and Michel van Eeten

Data Science Bootcamp Curriculum. NYC Data Science Academy

Detecting Malicious URLs. Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker. Presented by Gaspar Modelo-Howard September 29, 2010.

<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

Domain Name System.

Botnet Detection. Botnet Detection for Communications Service Providers

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

Detection of DNS Traffic Anomalies in Large Networks

Big Data Hadoop Developer Course Content. Big Data Hadoop Developer - The Complete Course Course Duration: 45 Hours

Demystifying Machine Learning

Computer Security CS 426

THE PIONEER IN REAL-TIME CYBER SITUATIONAL AWARENESS

BIG-IP Application Security Manager : Implementations. Version 13.0

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Microsoft Big Data and Hadoop

Big Data on AWS. Peter-Mark Verwoerd Solutions Architect

Avoiding Information Overload: Automated Data Processing with n6

With turing you can: Identify, locate and mitigate the effects of botnets or other malware abusing your infrastructure

Twi$er s Trending Topics exploita4on pa$erns

k-nn Disgnosing Breast Cancer

Enterprise Situational Intelligence

Temporal Correlations between Spam and Phishing Websites

GTIC Monthly Threat Report June 2017

Ethical Hacking. Content Outline: Session 1

Threat Centric Network Security

Nippon-European Cyberdefense-Oriented Multilayer Threat Analysis (NECOMA Project)

Identifier Technology Health Indicators (ITHI) Alain Durand, Christian Huitema 13 March 2018

(Un)wisdom of Crowds: Accurately Spotting Malicious IP Clusters Using Not-So-Accurate IP Blacklists

Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification

ID: Cookbook: browseurl.jbs Time: 16:56:06 Date: 13/02/2018 Version:

GNSO Issues Report on Fast Flux Hosting

ID: Cookbook: urldownload.jbs Time: 20:31:22 Date: 09/08/2018 Version:

The evolution of malevolence

Covert channel detection using flow-data

Search Engines. Information Retrieval in Practice

Divide & Recombine (D&R) with Tessera: High Performance Computing for Data Analysis.

Scaling ML in Ad Tech. Giri Iyengar

SQL Server Machine Learning Marek Chmel & Vladimir Muzny

Figure 1: Attempts for /ws/v1/cluster/apps/new-application

Security in AI. Alex Healing Senior Research Manager BT Applied Research. British Telecommunications plc 2019

Novetta Cyber Analytics

Identify and Lock down 100% of your Leaks. Detect Suspicious Network Behaviors

INF4820, Algorithms for AI and NLP: Evaluating Classifiers Clustering

Intelligent and Secure Network

Transcription:

Discovering new malicious domains using DNS and big data Case study: Fast Flux domains Dhia Mahjoub OpenDNS May 25 th, 2013

Background A@ackers seek to keep their operabons online at all Bmes The Network = the hosbng infrastructure is CRUCIAL Spam Phishing Malware distribubon Botnets

Fast Flux IP FLUX via DNS RECORDS SAME QUERY, DIFFERENT RESPONSES paypalz.com = 1.1.1.1 paypalz.com = 1.1.1.2 ad.malware.cn = 2.2.2.2 ad.malware.cn = 2.2.2.3 p2p.botnet.com = 3.3.3.3 p2p.botnet.com = 3.3.3.4 - Responses for domain s IP change very frequently - Responses for domain s NSs also change frequently - Large number of resource records paypalz.com = 1.1.1.3 ad.malware.cn = 2.2.2.4 p2p.botnet.com = 3.3.3.5 Must Shutdown or Block All Content Servers. Name Servers. via DNS Records. ns.botnet.com = 4.4.4.4 ns.bonet.com = 4.4.4.5 ns.bonet.com = 4.4.4.6 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES

How to detect Fast Flux? Evidence collecbon AcBve probing (successive digs over Bme) +Easy to implement - Latency in detecbon and cha@y process Passive probing (passive DNS) +No latency and more discreet - Need to have passive DNS database Decision making Rule set based detecbon (like an IDS) Machine Learning

Features

Machine Learning SoluBon Algorithm: Random forest classifier Training Data set: PosiBve set: known fast flux domains (From the security community and our blacklist) NegaBve set: known benign domains (Alexa top domains)

Training the Classifier Extract domains from our BL where nbips >=3 and that have been live for the past week Filter and keep domains with @l <=90 or (nb IPs>=3 and nb countries >=2 and @l<=14400) Add fast flux domains published by security community PosiDve set: 2000+ FF domains with high accuracy NegaDve set: 25000+ domains from Alexa top 1 Million

Performance on sample labeled data Random Forest accuracy 99% (233 FF and 600 benign) Predicted class Actual class Positive Negative Positive Negative TP (229) FN (4) FP (0) TN (600)

OpenDNS Network Map

DNS big data querylogs authlogs

Placorm and tools used - Pig on Hadoop cluster - raw logs on HDFS - Scikit learn: Python module for machine learning; integrates w/matplotlib, numpy, scipy - Redis for in- memory lookup of domain features - Python, shell

Daily FF detecbon workflow 1-9.5+ million unique valid domains/day (w/ TTL < 4 hours) 2- Obtain IPs, NSs, and IPs of NSs (with TTLs) 3- Build features (21 features) 4- Build fast flux classifier model from the labeled data (BL + Alexa) 5- Run classifier on unlabeled filtered daily data 6- Filter out domains already in BL and WL 7- Build clusters of related domains, IPs, NSs 8- Keep clusters of domains recently registered è a few hundred new FF domains discovered daily

Example day s numbers - Daily log of 9,609,478 domains with IP, TTL - 435,837 domains have resolving NS, TTL - 410,072 unique NSs, with IP, TTL - 125,021 domains with all features - 1,320 discovered FF domains

Main daily discoveries Work from home, fat loss, fake news spam domains Russian dabng domains Canadian Pharmacy domains Kelihos downloader domains used by BH and Red Kit EK Various Trojan CnC domains

Expand the FF discovered set 1. Take the set of FF discovered domains 2. Using SGraph (passive DNS), get all IPs that the FF domains resolve to 3. Get all domains that resolve to those IPs 4. Apply filtering heurisbcs è Expand the graph of FF domains, IPs More accurate with FF botnet IPs than with VPS Applies also to associabon by name server è Flag new fresh suspicious domains

Use cases (SGraph demo) ns[1-4].mydomainvps.pl ns[1-4].speedyvps.su ns[1-4].funnyns.su ns[1-4].feva.pl ns[1-4].kimd.pl ns[1-4].sl8.pl xixuungo.dota.fi combine dynamic dns and fasclux

Use case: FF botnet size 1. Take daily sample of kelihos domains (56 domains) 2. From SGraph (passive DNS), get all IPs they resolve to (4821 IPs, 1048 alive) 3. Get all domains that resolve to those IPs. Extract only 2LDs registered in 2013 (357 domains) 4. Get all IPs that these domains resolve to (52565 IPs) è Total final number of unique IPs is 52565, 12368 IPs are alive (esbmate on size of botnet)

FF botnet size (cont d) Set- 1 D Set- 2 IP Set- 3 D D Set- 4 IP IP D D IP D D IP IP 56 Kelihos domains 4821 IPs 1048 alive 357 domains IP 52565 IPs 12368 alive

Use case: FF botnet IPs map

Thank you (Q & A)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback