a word graph approach for dictionary detection and
play

A Word Graph Approach for Dictionary Detection and Extraction in - PowerPoint PPT Presentation

Dec 07, 2022 •179 likes •382 views

A Word Graph Approach for Dictionary Detection and Extraction in DGA Domain Names Mayana Pereira, Shaun Coleman, Bin Yu, Martine De Cock, Anderson Nascimento Motivation Source:

  1. A Word Graph Approach for Dictionary Detection and Extraction in DGA Domain Names Mayana Pereira, Shaun Coleman, Bin Yu, Martine De Cock, Anderson Nascimento

  2. Motivation Source: https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html

  3. Communication Between bots and C2 Servers C2 Server Bot Accountability Activation Updates Sending Back Stolen Information

  4. Communication Between bots Blacklist and C2 Servers 135.175.17.35 MALWARE CODE C2 server IP: 135.175.17.35 HARDCODED IP ADDRESS Bot

  5. DGA: Domain DNS query: ajdhkbf.info Generation DNS Reply: NXdomain Algorithm Bot DNS server DNS query: dnskasd.info DNS Reply: NXdomain DNS query: akdjnfag.info DNS Reply: 135.175.17.35 Contact 135.175.17.35 Malicious Payload C2 Server Bot IP 135.175.17.35

  6. How does DGA Detection Good - wikipedia.org Models work? Bad - nn4rzw6r4yv4ezapuu.ru Works by Differentiating Characters Probability Distributions [1] Schiavoni, Stefano, et al. "Phoenix: DGA-based botnet tracking and intelligence." International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment . Springer, Cham, 2014. [2] Antonakakis, Manos, et al. "From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware." USENIX security symposium . Vol. 12. 2012. [3] Yadav, Sandeep, et al. "Detecting algorithmically generated malicious domain names." Proceedings of the 10th ACM SIGCOMM conference on Internet measurement . ACM, 2010.

  7. How does DGA Detection Models work? Good - wikipedia.org Bad - nn4rzw6r4yv4ezapuu.ru Bad - wintermeasure.net

  8. How dictionary DGA domains are formed... Suppobox Malware Domains Words are used repeatedly!

  9. Contributions We propose a method that: 1. Detects domains and Extracts the dictionary from dictionary DGAs. 2. Robust against changes in the dictionary.

  10. Assume there is an algorithm for finding “words” within a domain facebook.com booksales.com book face sales

  11. DGA words connect differently! DGA Benign

  12. Finding domains Domain names DGA formed by Malicious words DGA words domains extracted detected Analysis of Word Graph We extract the dictionaries without Reverse Engineering efforts!

  13. Finding Malicious Regions in the ID Feature 1 Feature 2 Feature 3 Feature 4 DGA graph Description vector Dataset 1 Feature 1 Feature 2 Feature 3 Feature 4 non-DGA 2 Feature 1 Feature 2 Feature 3 Feature 4 ... n Feature 1 Feature 2 Feature 3 Feature 4 Filter Nodes with low degree less than n (n=4) Features from each graph component G: DGA I. Average node degree non-DGA II. Maximum node degree ... III. Number of cycles which form a basis of DGA K-NN cycles of G model IV. Average cycles per node

  14. Methodology Round 1 Round 2 Round 3 DGA DGA Alexa Alexa Alexa Dict 1 Dict 1 Train Train Train Train DGA DGA DGA DGA Dict 3 Dict 2 Dict 3 Dict 2 Test Alexa Alexa Alexa DGA DGA DGA Test Test Test Dict 2 Dict 3 Dict 1 Unbalanced Dataset: DGA domains are less than 1% Alexa dataset: Benign domains from Alexa (alexa.com) Top 120k domains. 80,000 domains for training and 40,000 domains for testing. DGA dataset: Suppobox DGA domains. 1,020 DGA domains. Generated using 3 different dictionaries (340 domains per dictionary).

  15. Results Word Detection Results # of words used by DGA # of detected words Recall FPR Round 1 92 92 1 0 Round 2 70 64 0.91 0 Round 3 80 80 1 0 Classification Results Round 1 Round 2 Round 3 Model Precision Recall FPR Precision Recall FPR Precision Recall FPR WordGraph 1 1 0 1 0.96 0 1 1 0 10 -3 10 -3 10 -3 Random 0.056 0.009 0.031 0.006 0.0 0.0 Forest (Baseline)

  16. Remarks - The Method have been used to extract dictionaries from real traffic, extracting known and unknown dictionaries (validation being conducted by security experts). - We have been investigating the relationship between the dictionary size and amount of domains we need to capture in order to extract dictionaries. - Efficiency: In datasets with 2M domains entire algorithm runs in ~100 minutes. (Word Extraction + Graph Analysis)

  17. Summary - First Algorithm that aims at detecting dictionary DGA domains - We are able to extract 97,5% of the used dictionary with a few hundred domains. - Our method is completely independent of the dictionary that is used by the malware QUESTIONS?

  18. Thank you! mpereira@infoblox.com

  19. Results Word Detection Results Words Round 1 -> ['within', 'belong', 'early', 'would', 'distant', 'clothes', 'journey', 'remember', 'smell', 'safety', 'forget', 'little', 'effort', 'separate', 'ridden', 'husband', 'those', 'destroy', 'chair', 'future', 'through', 'health', 'suffer', 'increase', 'known', 'follow', 'already', 'woman', 'storm', 'fight', 'period', 'choose', 'summer', 'water', 'fresh', 'thrown', 'smoke', 'thought', 'hunger', 'gentleman', 'party', 'crowd', 'member', 'however', 'experience', 'although', 'begin', 'training', 'degree', 'morning', 'class', 'heavy', 'share', 'likely', 'history', 'order', 'weather', 'return', 'answer', 'student', 'glass', 'alone', 'shake', 'succeed', 'present', 'think', 'nearly', 'leader', 'require', 'glossary', 'strange', 'various', 'chief', 'college', 'heaven', 'often', 'twelve', 'worth', 'necessary', 'difficult', 'happen', 'rather', 'pleasant', 'amount', 'middle', 'produce', 'thick', 'heard', 'gentle', 'round', 'forward', 'between'] Words Round 2 -> ['hello', 'face', 'sell', 'fish', 'lady', 'wing', 'weak', 'after', 'live', 'drive', 'queen', 'peace', 'guide', 'half', 'field', 'force', 'late', 'story', 'mine', 'name', 'house', 'tuesday', 'both', 'gift', 'month', 'least', 'serve', 'walk', 'wednesday', 'past', 'nail', 'gain', 'august', 'under', 'octover' , 'then', 'lend', 'meat', 'case', 'raise', 'these', 'born', 'meet', 'sight', 'price', 'tried', 'with', 'duty', 'quick', 'milk', 'most', 'horse', 'food', 'cloud', 'sick', 'sunday', 'monday', 'reach', 'enjoy', 'head', 'world', 'feed', 'dark', 'croud' ] Words Round 3 -> ['cornelius', 'christianson', 'winchester', 'christison', 'madeline', 'josceline', 'coriander', 'calanthia', 'seraphina', 'paternoster', 'johnathon', 'marigold', 'radclyffe', 'maryvonne', 'raschelle', 'trevelyan', 'columbine', 'sharmaine', 'bethanie', 'katherine', 'nathaniel', 'katheryne', 'september', 'terrence', 'madelaine', 'quintella', 'autenberry', 'summerfield', 'roosevelt', 'christmas', 'mottershead', 'michaelson', 'oliverson', 'shaniqua', 'blackburn', 'earnestine', 'alexandrina', 'bartholomew', 'anjelica', 'washington', 'richardine', 'gwendoline', 'willoughby', 'pemberton', 'maximillian', 'masterson', 'evangelina', 'mariabella', 'harmonie', 'veronica', 'evangeline', 'beauregard', 'christiana', 'wilhelmina', 'dulcibella', 'sacheverell', 'tatianna', 'winnifred', 'maybelline', 'kimberley', 'granville', 'stephania', 'anastasia', 'simonette', 'kingsley', 'harriette', 'andriana', 'catharine', 'gwendolyn', 'jeannette', 'sherwood', 'brooklynn', 'michelyne', 'ethelbert', 'josephine', 'magdalene', 'katherina', 'meriwether', 'charnette', 'sylvester']

  20. Random Forest Features

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dictionary lookup Suppose youre looking up a word in the dictionary (paper one, not

Dictionary lookup Suppose youre looking up a word in the dictionary (paper one, not

10/6/2016 Dictionary lookup Suppose youre looking up a word in the dictionary (paper one, not online!) You probably wont scan linearly thru the pages inefficient. What would be your strategy? Binary search

727 views • 14 slides
Dictionary Learning for Graph Signals 236862 Introduction to Sparse and Redundant

Dictionary Learning for Graph Signals 236862 Introduction to Sparse and Redundant

Dictionary Learning for Graph Signals 236862 Introduction to Sparse and Redundant Representations joint work with Yael Yankelevsky 22.12.2019 Prof. Michael Elad The Sparseland Model Dictionary Learning: = Model assumption: All data

764 views • 35 slides
The dictionary problem. A dictionary can be seen as a database of records; in each record we

The dictionary problem. A dictionary can be seen as a database of records; in each record we

The dictionary problem. A dictionary can be seen as a database of records; in each record we distinguish the key part (the word) and the data part (its definition). When sorting such a database, we sort according to the key part, and the rest of

355 views • 23 slides
Building an online Indonesian dictionary from Word and Excel fjles David Moeljadi Division of

Building an online Indonesian dictionary from Word and Excel fjles David Moeljadi Division of

Building an online Indonesian dictionary from Word and Excel fjles David Moeljadi Division of Linguistics and Multilingual Studies, Nanyang Technological University, Singapore NIE-ELL Postgraduate Conference (PGC), National Institute of

798 views • 31 slides
1 Matrix notation and preliminaries from spectral graph theory Spectral graph theory studies

1 Matrix notation and preliminaries from spectral graph theory Spectral graph theory studies

CS 224W Graph clustering Austin Benson Graph clustering (or community detection or graph partitioning) is one of the most studied problems in network analysis. One reason for this is that there are a variety of ways to define a cluster

317 views • 9 slides
Automatic Keypoint Detection on 3D Faces Using a Dictionary of Local Shapes Clement Creusot, Nick

Automatic Keypoint Detection on 3D Faces Using a Dictionary of Local Shapes Clement Creusot, Nick

Automatic Keypoint Detection on 3D Faces Using a Dictionary of Local Shapes Clement Creusot, Nick Pears, Jim Austin Advanced Computer Architecture group Department of Computer science 3DIMPVT, Hangzhou, China, May 2011 Aim What Why How

599 views • 16 slides
Improving Polish Mention Detection with Valency Dictionary Bartomiej Nito and Maciej

Improving Polish Mention Detection with Valency Dictionary Bartomiej Nito and Maciej

Improving Polish Mention Detection with Valency Dictionary Bartomiej Nito and Maciej Ogrodniczuk CORBON 2017 Valencia, Spain, 4 th April 2017 The case of mention borders A mention text fragment which could potentially create references

189 views • 15 slides
A SEMANTIC UNSUPERVISED LEARNING APPROACH TO WORD SENSE DISAMBIGUATION Dissertation Presentation

A SEMANTIC UNSUPERVISED LEARNING APPROACH TO WORD SENSE DISAMBIGUATION Dissertation Presentation

A SEMANTIC UNSUPERVISED LEARNING APPROACH TO WORD SENSE DISAMBIGUATION Dissertation Presentation April 4, 2018 Dian I. Martin Presenta tati tion Overview Background LSA-WSD Approach Word Importance in a Sentence

785 views • 53 slides
A Wordcount Approach to Assessing the Moral Color of Old & New Media John Voiklis DIMACS

A Wordcount Approach to Assessing the Moral Color of Old & New Media John Voiklis DIMACS

A Wordcount Approach to Assessing the Moral Color of Old & New Media John Voiklis DIMACS Workshop April 10, 2014 DIMACS Center Rutgers University It aint in the word counts; its in the dictionary Counting words appears to suffice

91 views • 7 slides
Graph-Based Word Embeddings Learning Presenter: Zheng ZHANG Supervisors: Pierre

Graph-Based Word Embeddings Learning Presenter: Zheng ZHANG Supervisors: Pierre

(Post-) Doctoral Seminar of Group ILES, LIMSI 10/04/2018 Graph-Based Word Embeddings Learning Presenter: Zheng ZHANG Supervisors: Pierre ZWEIGENBAUM & Yue MA 1 Date One year ago Our plan: Using graph-of-words for

376 views • 11 slides
CMSC 206 Dictionaries and Hashing The Dictionary ADT n a dictionary (table) is an abstract

CMSC 206 Dictionaries and Hashing The Dictionary ADT n a dictionary (table) is an abstract

CMSC 206 Dictionaries and Hashing The Dictionary ADT n a dictionary (table) is an abstract model of a database or lookup table n like a priority queue, a dictionary stores key- element pairs n the main operation supported by a

496 views • 35 slides
Radio-isotope Identification Using Dictionary Learning Approach for Plastic Spectra Junhyeok

Radio-isotope Identification Using Dictionary Learning Approach for Plastic Spectra Junhyeok

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Radio-isotope Identification Using Dictionary Learning Approach for Plastic Spectra Junhyeok Kim a , Daehee Lee b , Giyoon Kim a , Jinhwan Kim a , Eunbie Ko a ,

277 views • 3 slides
Spectral Methods for Network Community Detection and Graph Partitioning M. E. J. Newman

Spectral Methods for Network Community Detection and Graph Partitioning M. E. J. Newman

Spectral Methods for Network Community Detection and Graph Partitioning M. E. J. Newman Department of Physics, University of Michigan Presenters: Yunqi Guo Xueyin Yu Yuanqi Li 1 Outline: Community Detection Modularity Maximization

1.04k views • 56 slides
Graph Analytics for Community Detection with GraphLab Petko Georgiev Motivation Community

Graph Analytics for Community Detection with GraphLab Petko Georgiev Motivation Community

Graph Analytics for Community Detection with GraphLab Petko Georgiev Motivation Community detection algorithms tools for the analysis and understanding of network data applications in social, technological and biological networks

532 views • 11 slides
The Dictionary ADT The dictionary ADT models a searchable collection findElement(k): if the

The Dictionary ADT The dictionary ADT models a searchable collection findElement(k): if the

Dictionary ADT methods: The Dictionary ADT The dictionary ADT models a searchable collection findElement(k): if the dictionary has an item with key k, of key-element items returns its element, else, returns the special element The main

594 views • 10 slides
Chapter 4 Word-based models Statistical Machine Translation Lexical Translation How to

Chapter 4 Word-based models Statistical Machine Translation Lexical Translation How to

Chapter 4 Word-based models Statistical Machine Translation Lexical Translation How to translate a word look up in dictionary Haus house, building, home, household, shell. Multiple translations some more frequent than others

1.2k views • 61 slides
Representation and Processing of Composition, Variation and Approximation in Language Resources

Representation and Processing of Composition, Variation and Approximation in Language Resources

Representation and Processing of Composition, Variation and Approximation in Language Resources and Tools Towards an accreditation to supervise research Vers une habilitation diriger des recherches (HDR) Agata Savary Laboratoire

838 views • 72 slides
Lexical Semantics & WSD Computertaalkunde December 8, 2014

Lexical Semantics & WSD Computertaalkunde December 8, 2014

Lexical Semantics & WSD Computertaalkunde December 8, 2014 Walter Daelemans Walter.Daelemans@uantwerpen.be Guy De Pauw Guy.Depauw@uantwerpen.be 2 Exam

1.01k views • 64 slides
THE FRUIT OF THE SPIRIT Kindness BY CHRIS DAWSON Kindness What is it? crhstovthV

THE FRUIT OF THE SPIRIT Kindness BY CHRIS DAWSON Kindness What is it? crhstovthV

THE FRUIT OF THE SPIRIT Kindness BY CHRIS DAWSON Kindness What is it? crhstovthV Benignity - Warmhearted, good- - Benignity, kindness natured, friendly, - Thayers Lexico n affectionate, agreeable, cordial, approachable, caring,

226 views • 6 slides
USQCD Software All Hands Meeting FNAL, May 1, 2014 Rich Brower Chair of Software Committee Not

USQCD Software All Hands Meeting FNAL, May 1, 2014 Rich Brower Chair of Software Committee Not

USQCD Software All Hands Meeting FNAL, May 1, 2014 Rich Brower Chair of Software Committee Not possible to summarize status in any detail of course. Recent document available on request - 2 year HEP SciDAC 3.5 proposal ( Paul Mackenzie )

779 views • 22 slides
Todays Message: Bread from Heaven Exodus 16 Where are they? Exodus 16:1-36 The whole

Todays Message: Bread from Heaven Exodus 16 Where are they? Exodus 16:1-36 The whole

Todays Message: Bread from Heaven Exodus 16 Where are they? Exodus 16:1-36 The whole Israelite community set out from Elim and came to the Desert of Sin, which is between Elim and Sinai, on the fifteenth day of the second month after they

728 views • 46 slides
Webinar agenda Parks to Farms: Urban Migration and Community Development in Tower Hamlets and

Webinar agenda Parks to Farms: Urban Migration and Community Development in Tower Hamlets and

Webinar agenda Parks to Farms: Urban Migration and Community Development in Tower Hamlets and Thorncliffe Park 1) Presentation by Sabina Ali , Chair, Thorncliffe Park Womens Committee (Toronto, Canada ) 2) Presentation by Mhairi Weir ,

258 views • 22 slides
JOHN 6:22-34 BREAD OF LIFE PART 1 Thursday, November 14, 13 VERSES 22-24 The Crowd PURSUES

JOHN 6:22-34 BREAD OF LIFE PART 1 Thursday, November 14, 13 VERSES 22-24 The Crowd PURSUES

JOHN 6:22-34 BREAD OF LIFE PART 1 Thursday, November 14, 13 VERSES 22-24 The Crowd PURSUES Jesus across the lake to CAPERNAUM 22 On the next day the crowd that remained on the other side of the sea saw that there had been only one boat there,

351 views • 17 slides
Part A: Schaeffer type bijections A.I Reminders about trees and maps Trees Def. A tree is a

Part A: Schaeffer type bijections A.I Reminders about trees and maps Trees Def. A tree is a

Bijections for Planar Maps: Beautiful and Powerful Part A: Schaeffer type bijections A.I Reminders about trees and maps Trees Def. A tree is a connected acyclic graph. Trees Def. A tree is a connected acyclic graph. Def. A rooted tree is a

1.26k views • 115 slides

More recommend