1 domain flux based dga botnet detection using
play

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural - PowerPoint PPT Presentation

Mar 19, 2023 •390 likes •733 views

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

  1. 1

  2. Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2

  3. Outlines • Motivation • Problem • Contribution • Results • Conclusions 3

  4. Identifying Jargons Domain Flux -based DGA Botnet Detection Through Feedforward Neural Network • BOTNET • DOMAIN FLUX • DGA • FEEDFORWARD NEURAL NETWORK 4

  5. Motivation • Military communication involves the transmission of heavily secured information. • Even a minor infiltration of military network can be catastrophic. • One way of invading into this network is botnet. 5

  6. Problem • Botnets Detections • Domain fluxing method, in which botmaster constantly changes the domain name of the Command and Control (C&C) server very frequently. • These domains are produced using an algorithm called Domain Generation Algorithm (DGA). • Domain flux-based botnets are stealthier and consequently much harder to detect due to its flexibility. 6

  7. Some Solutions and Limitations • Not well-formed and pronounceable domain names • Identify differences between human-generated domains and DGAs • Detecting malicious domain names by comparing its semantic similarity with known malicious domain names • Domain length which could be different from domain name • Fail: Random meaningful word phrases • Fail: DGA domains showing a bit of regularity 7

  8. Contributions • Developed a heuristic for evaluation and detection of botnets inspecting the several attributes in a very simple and efficient way • Compared our proposed system with the existing ones with respect to accuracy, F1 score, and ROC curve 8

  9. Proposed Features • Length • Vowel-consonant ratio • Four-gram Score • Meaning Score • Frequency Score • Correlation Score • Markov Score • Regularity Score 9

  10. Length & Vowel -consonant ratio Domain Name Length Vowel-consonant Comment ratio aliexpress 10 0.667 Normal xxtrlasffbon 12 0.2 Abnormally low ratio aliismynameexpress 19 0.55 Abnormal length 10

  11. Four-gram Score Domain Name No. of four-grams without a vowel Comment google 0 Normal xxtrlasffbon 3 (xxtr, xtrl, sffb) Abnormal but detectable by v-c ratio (0.2) bbxtklaoeo 3 (bbxt, bxtk, xtkl) Abnormal and not detectable by v-c ratio (0.667) 11

  12. Regularity Score • The regularity score takes into account the syntactic dissimilarity with actual words by using Edit distance. • Edit distance takes two words as function parameters and returns the minimum number of deletions, insertions, or replacements to transform one word into another. 12

  13. Regularity Score: Example • Let’s build a “trie” from two words “coco” and “coke” • Let’s say, our threshold is 1. • c o c o k e • Let the domain names be “coca” and “caket” • For “coca”, similarity score will be 1 -> (threshold is 1, coco) • For “caket”, similarity score will be 0 -> (threshold is 1, N/A ) So, Regularity Score of caket > coca So, DGA probability (caket > coca) 13

  14. Markov Score • A big text file was chosen to build the Markov model. • Every transition between adjacent letters were taken into account to calculate the transition probability. • A 2-D array was used to store the transition frequencies, and afterwards the values were normalized to find the transition probabilities. • In training phase, for every 2-grams within a domain name, the sum of the transition probabilities were calculated to generate the score. 14

  15. Markov Score: Example • Let’s say the training text consists of a single word “begone” and the test set is “banet” and “nebet” • So, the transition matrix will be: t[b][e] = 1, t[e][g] = 1, t[g][o] = 1, t[o][n] = 1, t[n][e] = 1 • For “banet”, t[b][a] + t[a][n] + t[n][e] + t[e][t] = 0 + 0 + 1 + 0 = 1 • For “nebet”, t[n][e] + t[e][b] + t[b][e] + t[e][t] = 1 + 0 + 1 + 0 = 2 So, Markov Score of nebet > banet So, DGA probability (banet > nebet) 15

  16. Meaning Score • Basis: • Real world domain names tend to include meaningful words or phrases. • Methodology: • Meaningful segments extracted from a domain name • Normalized with respect to length 16

  17. Meaning Score: Example peerscale ononblip 1. Meaningful substrings (peer, 1. Meaningful substrings (blip) scale) 2. Only 1 of length 4 2. Two of length 4 & 5 Overall, Meaning Score of ononblip < peerscale So, DGA probability (ononblip > peerscale) 17

  18. Frequency Score • Depends on the relative use of the word over the internet • Steps: 1. Substrings of length greater than three extracted from the domain names in the training set 2. Relative frequency of the substrings determined from Google Books N-gram dataset 3. Score generated from the relative frequency of the substrings scaled exponentially by the length of substrings 18

  19. Frequency Score: Example peerscale ononblip 1. Extracting substring of length 1. Extracting substring of length greater than three (ersc, eers, greater than three (onon, blip, peer, scale etc.) nbli, nonb etc.) 2. Sorted according to frequency 2. Sorted according to frequency score (ersc < eers < peer < score (nbli < nonb < onon < blip) scale) Overall, Frequency Score of ononblip << peerscale So, DGA probability (ononblip > peerscale) 19

  20. Correlation Score • Depends on whether the word segments in the domain have a contextual similarity • Steps: 1. Extract lines from the reference text file 2. Update correlation map for every pair of words within a sentence 3. Extract substrings from the domain names in the training set 4. Check the incidence of the substrings appearing together from our correlation map 5. Generate correlation score based on substring length and prevalence 20

  21. Correlation Score: Example • Let’s say the reference text consists of a single line “I hate menial work” and the domains in question are “workhaters” and “clustolous” • So, the correlation map will be: c[I][hate] = 1, c[I][menial] = 1, c[I][work] = 1, c[hate][menial] = 1, c[hate][work] = 1, c[menial][work] = 1 • For “workhaters”, correlation score is 1 • For “clustolous”, correlation score is 0. So, Correlation Score of workhaters > clustolous So, DGA probability (clustolous > workhaters) 21

  22. Results • Experiment • Dataset • Used performance metric • Accuracy • F1 Score • ROC (Receiver operating characteristic) Curve and AUC (Area Under the ROC curve) • Results 22

  23. Dataset • We collected our data set from the research work of F . Yu. et al. • Three folders • hmm_dga : domains generated using Hidden Markov model • pcfg_dga: domains generated using Probabilistic Context Free Grammar • other: some real world known botnet domains 23

  24. Performance Metric If AUC score is greater than 0.9, we call it excellent . If it falls within the range 0.80-0.9, it is good . Within 0.70-0.80 is moderate and anything less than 0.70 is termed as poor . 24

  25. Our Results • Our baseline approach is the method proposed by S. Yadav et. Al. • They proposed three metrics to determine DGA domain • KL (Kullback-Leibler) distance • Jaccard Index • Edit Distance 25

  26. Our Results: Graphical Comparison For ‘hmm_dga’ folder 26

  27. Our Results: Graphical Comparison For ‘other’ folder 27

  28. Our Results: Graphical Comparison For ‘pcfg_dga’ folder 28

  29. Our Results: Quantitative Comparison Well detecting HMM- Well detecting HMM- based and real based and real IP domains. domains. Not better than KL or JI for pronounceable words 29

  30. Our Result: Confidence Interval Bar Graph The confidence interval suggests that variation of result in our system are not be as much as the other two methods. 30

  31. Our Result: Key Findings • For files containing numbers, our approach seems to be better than the reference. • For files containing domains from real life botnets, our approach produced much better result. • For files with pronounceable domains, results of baseline approach is slightly better than ours. 31

  32. Conclusion • Our system considers the problem from two aspects - syntactically and semantically. • The result is exceptionally well on DGAs that use pseudo random number generator. • Frequency Score and Meaning Score are good classifiers for DGAs that use pronounceable domain names. • When related phrases and words appear within the domain names, value of correlation score is a good classifier. 32

  33. FUTURE WORKS • Incorporate more semantic features in future 33

  34. Thank You Questions Husnu Narman narman@marshall.edu https://hsnarman.github.io/ 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J.

423 views • 21 slides
Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux Laboratory? ! ! The Flux Box holds the archives of many years of Flux creations and Flux Laboratory is a pluridisciplinary space, based in both

262 views • 11 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di

Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di

Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di Mauro, S. Manconi, F . Donato arXiv:1903.05647, subm. PRD and arXiv:1908.03216 Fiorenza Donato Torino University and INFN TAUP 2019 - Toyama,

387 views • 15 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering &amp; Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor:

Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor:

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser Introduction - Botnets Great

748 views • 17 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
What is a flux? Phil Roe The Things We Does Know Finite Volume methods (and others) (are based

What is a flux? Phil Roe The Things We Does Know Finite Volume methods (and others) (are based

What is a flux? Phil Roe The Things We Does Know Finite Volume methods (and others) (are based on ensuring conservation by computing the flux through the surfaces of a polyhedral box. Either the normal component of the flux is evaluated at the

592 views • 14 slides
Content A Polyreference Least Square Complex Frequency Introduction domain based statistical

Content A Polyreference Least Square Complex Frequency Introduction domain based statistical

Content A Polyreference Least Square Complex Frequency Introduction domain based statistical test for damage detection Frequency domain modal analysis Gilles Canales, Laurent Mevel, Mich` ele Basseville Scalar frequency domain local test for

189 views • 3 slides
Fast Frame-Based Scene Change Detection in the Compressed Domain for MPEG-4 Video Jens Brandt,

Fast Frame-Based Scene Change Detection in the Compressed Domain for MPEG-4 Video Jens Brandt,

Fast Frame-Based Scene Change Detection in the Compressed Domain for MPEG-4 Video Jens Brandt, Jens Trotzky, Lars Wolf IBR Technische Universit at Braunschweig Germany Future Multimedia Networking - FMN08 2008 September 17-18 Cardiff

309 views • 20 slides
Domain adaptation model for retinopathy detection from cross-domain OCT images Jing Wang 1;2 ,

Domain adaptation model for retinopathy detection from cross-domain OCT images Jing Wang 1;2 ,

Domain adaptation model for retinopathy detection from cross-domain OCT images Jing Wang 1;2 , Yiwei Chen 2 , Wanyue Li1; 2 , Wen Kong 1;2 , Yi He 2 , Chuihui Jiang *3 , Guohua Shi *2;4 1 University of Science and technology of China, Hefei 230026,

348 views • 9 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Our Responsibility to Defeat Mass Surveillance Erik Drnenburg Martin Fowler

Our Responsibility to Defeat Mass Surveillance Erik Drnenburg Martin Fowler

Our Responsibility to Defeat Mass Surveillance Erik Drnenburg Martin Fowler http://erik.doernenburg.com http://martinfowler.com @erikdoe @martinfowler http://thoughtworks.com/de http://thoughtworks.com There was of course no way of

674 views • 33 slides
Hidden Markov Models Based on Foundations of Statistical NLP by C. Manning &amp; H.

Hidden Markov Models Based on Foundations of Statistical NLP by C. Manning &amp; H.

0. Hidden Markov Models Based on Foundations of Statistical NLP by C. Manning &amp; H. Sch utze, ch. 9, MIT Press, 2002 Biological Sequence Analysis, R. Durbin et al., ch. 3 and 11.6, Cambridge University Press, 1998 1.

929 views • 59 slides
(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

15-251: Great Theoretical Ideas in Computer Science Lecture 24 (Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit. Then there was Russell Principia Mathematica Volume 2 Russell and others worked

949 views • 50 slides
Social influence Conformity Informational influence Influence that produces conformity when a

Social influence Conformity Informational influence Influence that produces conformity when a

What is a norm? Informal rule for acceptable and expected behavior Scripts Rituals Customs &amp; traditions Social influence Conformity Informational influence Influence that produces conformity when a person feels that others are correct

234 views • 4 slides
Can stuff be morally good? Okinawa Soba Mike Brownnutt Somewhere, something happened... 2 + 2 =

Can stuff be morally good? Okinawa Soba Mike Brownnutt Somewhere, something happened... 2 + 2 =

Redeeming Technology 7th October 2017 Can stuff be morally good? Okinawa Soba Mike Brownnutt Somewhere, something happened... 2 + 2 = 4 235 1 90 143 1 U + n Kr + Ba +

421 views • 18 slides
Earnings Call David Burritt President and Chief Executive Officer Kevin Bradley Executive Vice

Earnings Call David Burritt President and Chief Executive Officer Kevin Bradley Executive Vice

Second Quarter 2019 Earnings Call David Burritt President and Chief Executive Officer Kevin Bradley Executive Vice President and Chief Financial Officer Kevin Lewis General Manager, Investor Relations August 2, 2019 www.ussteel.com

618 views • 20 slides
The Strategist: Strategy from Constraint Adam Brandenburger J.P . Valles Professor,

The Strategist: Strategy from Constraint Adam Brandenburger J.P . Valles Professor,

The Strategist: Strategy from Constraint Adam Brandenburger J.P . Valles Professor, NYU Stern School of Business Distinguished Professor, NYU Tandon School of Engineering Faculty Director, NYU Shanghai Program on Creativity +

377 views • 13 slides
Dealing with Uncertainty We want to get to the point where we can reason with uncertainty CS

Dealing with Uncertainty We want to get to the point where we can reason with uncertainty CS

Dealing with Uncertainty We want to get to the point where we can reason with uncertainty CS 331: Artificial Intelligence This will require using probability e.g. Probability I probability that it will rain today is 0.99 We will

242 views • 6 slides

More recommend