behavioral analysis
play

Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE - PowerPoint PPT Presentation

Feb 06, 2023 •175 likes •1.45k views

Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE Security Researcher Previously: Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre rootaccesspodcast.com Behavioral Analysis VIDEO analyzing website visitors

  1. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  2. This one is ok… masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  3. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  4. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  5. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  6. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  7. Found a bad one! masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  8. That process is really tedious

  9. Tedious • Mostly Manual Process • Searching and Personal Expertise

  10. Automate Things • Auto-process Logs / Streams • Save it so it’s Workable

  11. Getting data • Log files • DNS, AD, System, Web, etc • Network Capture

  12. Have to Write Parsers • We all have custom data • Use whatever is easiest for you • Python h g U • Excel • R

  13. Creating a baseline • Counting Total Number of Domains • Getting “Scores” • Categorization

  14. DNS • Starting with data from OpenDNS • Over a billion queries per day - approximately 3% of the internet • How do you baseline that? (You need a LOT of that data - as in TB) • Can you baseline that?

  15. DNS looks like this

  16. Let’s try anyway • Count how many times a domain is seen • Over 10 times: Write to normal_traffic.txt • Under 3 times: Write to suspicious_traffic.txt

  17. 08/25/2016 17:20:00,s1.mohito.com,A,360,78.24.161.76 08/25/2016 17:29:00,hotspotcostablanca.ath.cx,A,60,81.36.140.179 9 Minutes of DNS

  18. 664,938 domains looked up wc -l 2016-08-25-17-20.myzPMsaJ 664,938 2016-08-25-17-20.myzPMsaJ

  19. File size of original logs, the normal_traffic and the suspicious_traffic output files

  20. Normal Traffic

  21. Suspicious Traffic

  22. Picking one ‘suspicious’ site Suspicious Traffic

  23. Looking at DNS requests for that ‘suspicious’ site

  24. It’s probably fine…

  25. Picking another ‘suspicious’ site More Suspicious Traffic

  26. Looking at DNS requests:

  27. Looking at the site (no longer available)

  28. Looking at categorization: Categorization

  29. We still have a lot that is uncategorized Categorization

  30. Look at the Bandwidth

  31. Total traffic by Minute

  32. Doesn’t mean much It’s random data from unrelated sources

  33. We must Narrow the Focus

  34. DNS One Organization

  35. 19,801,469 DNS Requests: For a 17 hour period:

  36. Looks like this. Lots of visits to directv.com

  37. Remove unneeded data, still a large file:

  38. Get rid of the obviously normal: Down to 493,351 DNS Requests:

  39. Get rid of additional normal domains Down to 1,320 DNS Requests:

  40. Graphing on a timeline, but it’s not too clean

  41. Graph by domain and visit count (with some mistakes)

  42. Auto processing through past data can take a toll 2 GB File: Taking forever

  43. DNS • Looking at DNS traffic on the wire • Processing with various tools • Python • Pandas, etc…

  44. DNS • Ran this on a system at home: tcpdump -i eth1 -j host port 53 -tttt >> tcpdump.log eth1 is hooked up to a network tap watching traffic between the routers internet port and the cable modem

  45. It looks like this: 12:56:37.854306 IP 73.202.157.15.53018 > 208.67.222.222.53: 46044+ A? apple.com. (27) E..7..@.@...I....C..... 5.#.w.............apple.com..... 12:56:37.854517 IP 73.202.157.15.2461 > 208.67.222.222.53: 18586+ A? calendar.google.com. (37) E..A..@.@...I....C.. .. 5.-.xH............calendar.google.com..... 12:56:37.854681 IP 73.202.157.15.25959 > 208.67.222.222.53: 17850+ A? 1-courier.push.apple.com. (42) E..F..@.@...I....C..eg.5.2V.E........... 1- courier.push.apple.com..... 12:56:37.854906 IP 73.202.157.15.15125 > 208.67.222.222.53: 63415+ A? 14-lvl3-pdl.vimeocdn.com. (42)

  46. Just the time, domain and visit count

  47. Graph by domain and visit count

  48. This is anomalous:

  49. See if we can get an idea of network behavior from patterns Compare Traffic

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Behavioral Analysis of the DSM-5 Criteria for Autism: Failure of Normal Back -and- Forth

A Behavioral Analysis of the DSM-5 Criteria for Autism: Failure of Normal Back -and- Forth

A Behavioral Analysis of the DSM-5 Criteria for Autism: Failure of Normal Back -and- Forth Conversation Mark L. Sundberg, Ph.D., BCBA-D (www.marksundberg.com) Introduction The historical progression of behavior analysis and autism

168 views • 16 slides
A Brief Introduction to Behavioral Economics A field that Integrates behavioral sciences

A Brief Introduction to Behavioral Economics A field that Integrates behavioral sciences

A Brief Introduction to Behavioral Economics A field that Integrates behavioral sciences (psychology, sociology) into analysis of human decision-making. Assumes decision-making behavior can be irrational, too, not only logical

306 views • 7 slides
Applied Behavioral Analysis 2019 CPT Code Crosswalk HEALTH SYSTEMS DIVISION Medicaid Program

Applied Behavioral Analysis 2019 CPT Code Crosswalk HEALTH SYSTEMS DIVISION Medicaid Program

Applied Behavioral Analysis 2019 CPT Code Crosswalk HEALTH SYSTEMS DIVISION Medicaid Program Unit Applied Behavioral Analysis ORABA Presentation Introduction Purpose 2019 ABA code crosswalk Information about current work

347 views • 13 slides
Gaps Analysis of Behavioral Health Services Updated Presented by: February 5, 2014 Kelly

Gaps Analysis of Behavioral Health Services Updated Presented by: February 5, 2014 Kelly

Nevada Department of Health and Human Services DIVISION OF PUBLIC AND BEHAVIORAL HEALTH Gaps Analysis of Behavioral Health Services Updated Presented by: February 5, 2014 Kelly Marschall, MSW Legislative Committee on Health Care Purpose of

880 views • 55 slides
How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in

How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in

How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in the street. Vernica Valeros, Sebastin Garca MatesLab Hackspace, Mar del Plata, Argentina {vero.valeros,eldraco}@gmail.com Abstract

393 views • 18 slides
CAFE Standards and Behavioral Welfare Analysis Hunt Allcott New York University and National

CAFE Standards and Behavioral Welfare Analysis Hunt Allcott New York University and National

CAFE Standards and Behavioral Welfare Analysis Hunt Allcott New York University and National Bureau of Economic Research Agenda What are internalities? Why internalities are important for CAFE Measuring internalities Behavioral

507 views • 25 slides
Behavioral Study of Bot Obedience using Causal Relationship Analysis Pekka Pietikinen, Lari

Behavioral Study of Bot Obedience using Causal Relationship Analysis Pekka Pietikinen, Lari

Behavioral Study of Bot Obedience using Causal Relationship Analysis Pekka Pietikinen, Lari Huttunen Oulu University Secure Programming Group Botnets have become an increasing menace Tens of strategically placed hosts to hundreds of

164 views • 15 slides
Behavioral Economics and the Conduct of Benefit-Cost Analysis: Towards Principles and Standards*

Behavioral Economics and the Conduct of Benefit-Cost Analysis: Towards Principles and Standards*

Behavioral Economics and the Conduct of Benefit-Cost Analysis: Towards Principles and Standards* Prepared for: Developing Standards for Benefit-Cost Analysis Conference October 18-19, 2010 Washington, DC Prepared by: Lisa A. Robinson,

621 views • 14 slides
BEHAVIORAL FINANCE: USING IT TO MAKE YOUR TECHNICAL ANALYSIS MORE PRODUCTIVE HOW TO LEARN MORE

BEHAVIORAL FINANCE: USING IT TO MAKE YOUR TECHNICAL ANALYSIS MORE PRODUCTIVE HOW TO LEARN MORE

BEHAVIORAL FINANCE: USING IT TO MAKE YOUR TECHNICAL ANALYSIS MORE PRODUCTIVE HOW TO LEARN MORE IF YOU WISH Don Cassidy www.R-I-I.org Don Cassidy Founder and President Retirement Investing Institute www.

558 views • 37 slides
Welfare Analysis for Behavioral Models Vast evidence on people holding wrong beliefs and

Welfare Analysis for Behavioral Models Vast evidence on people holding wrong beliefs and

A W ELFARE C RITERION F OR M ODELS WITH D ISTORTED B ELIEFS M ARKUS B RUNNERMEIER , A LP S IMSEK & W EI X IONG Welfare Analysis for Behavioral Models Vast evidence on people holding wrong beliefs and making inefficient decisions. e.g.,

768 views • 24 slides
The Behavioral Health Workforce Gail W. Stuart, PhD, RN 55% of US counties have no behavioral

The Behavioral Health Workforce Gail W. Stuart, PhD, RN 55% of US counties have no behavioral

The Behavioral Health Workforce Gail W. Stuart, PhD, RN 55% of US counties have no behavioral health provider 77% have unmet behavioral health needs Plagued with shortages and maldistribution CALL TO ACTION 2007 Mental

391 views • 15 slides
Behavioral Health ASO Overview Rebecca Frechard, LCPC, Deputy Director Medicaid Behavioral Health

Behavioral Health ASO Overview Rebecca Frechard, LCPC, Deputy Director Medicaid Behavioral Health

Behavioral Health ASO Overview Rebecca Frechard, LCPC, Deputy Director Medicaid Behavioral Health Division Behavioral Health System of Care Workgroup: October 23, 2019 1 Behavioral Health ASO The Administrative Service Organizations (ASO) is

99 views • 7 slides
Louisiana Behavioral Health Partnership A New Approach to Behavioral Health LOUISIANA DEPARTMENT

Louisiana Behavioral Health Partnership A New Approach to Behavioral Health LOUISIANA DEPARTMENT

Louisiana Behavioral Health Partnership A New Approach to Behavioral Health LOUISIANA DEPARTMENT OF HEALTH AND HOSPITALS System is fragmented: No clear single vision for how the state serves children and adults with significant behavioral

334 views • 8 slides
Behavioral Health Hom e Plus and Optim al Health James Schuster, MD, MBA CMO, Medicaid, SNP, and

Behavioral Health Hom e Plus and Optim al Health James Schuster, MD, MBA CMO, Medicaid, SNP, and

Behavioral Health Hom e Plus and Optim al Health James Schuster, MD, MBA CMO, Medicaid, SNP, and Behavioral Services UPMC Insurance Division What is a Behavioral Health Hom e? A behavioral health home (BHH) is a service delivery model that

606 views • 25 slides
Behavioral Health Clinics (BHCs) New Options for Providers of Community-Based Behavioral

Behavioral Health Clinics (BHCs) New Options for Providers of Community-Based Behavioral

Behavioral Health Clinics (BHCs) New Options for Providers of Community-Based Behavioral Services June 2018 www2.illinois.gov/hfs 1 1 Behavioral Health Clinics Webinar Housekeeping Items: Phone lines are in listen only mode

391 views • 22 slides
Applied Behavioral Analysis (ABA) Increased numbers of Students Receiving ABA Services

Applied Behavioral Analysis (ABA) Increased numbers of Students Receiving ABA Services

BOSTON PUBLIC SCHOOLS Office of Special Education and Student Services BOSTON PUBLIC SCHOOLS Department Name Applied Behavioral Analysis (ABA) Increased numbers of Students Receiving ABA Services students identified annually 700 and

304 views • 3 slides
START Surprise! MARTY Aaaagh! Alex, dont interrupt me when Im daydreaming. When the

START Surprise! MARTY Aaaagh! Alex, dont interrupt me when Im daydreaming. When the

Audition Sides - Alex, Marty, Gloria, Melman, Lionesses, Mason & ## Poco rit. j 41 see liv - ing where I was meant to be. (ALEX pops onstage.) ALEX START Surprise!

321 views • 17 slides
Think Somatics Presented by: Meredith Neuman Sheila Ojeda Casey Rossomondo Somerville Academy

Think Somatics Presented by: Meredith Neuman Sheila Ojeda Casey Rossomondo Somerville Academy

Paid Media Marketing Strategy for Think Somatics Presented by: Meredith Neuman Sheila Ojeda Casey Rossomondo Somerville Academy 2019 Introduction Meredith Meredith: RDN with a passion for helping like-minded organizations spread their

334 views • 32 slides
FeaturesforComputerVision AlexBerg ComputerScienceDepartment

FeaturesforComputerVision AlexBerg ComputerScienceDepartment

FeaturesforComputerVision AlexBerg ComputerScienceDepartment ColumbiaUniversity WhyVision? Light! Itishowweseeotherpeople, navigateourenvironment,

1.83k views • 167 slides
MIGS: Alcon Laboratories S Maybe Its Glaucoma Surgery! Allergan C,S New World Medical S

MIGS: Alcon Laboratories S Maybe Its Glaucoma Surgery! Allergan C,S New World Medical S

12/4/2015 I have the following financial interests and relationships to disclose: MIGS: Alcon Laboratories S Maybe Its Glaucoma Surgery! Allergan C,S New World Medical S NIH-NEI S Joseph Caprioli RPB S Simms-Mann Foundation S

212 views • 4 slides
Semantic Segmentation of the sekleton in bone scintigraphy images with convolutional neural

Semantic Segmentation of the sekleton in bone scintigraphy images with convolutional neural

Semantic Segmentation of the sekleton in bone scintigraphy images with convolutional neural networks Problem Description Convolutional Neural Networks Convolutional Layer Max Pooling Transforming Classification networks to segmentation

157 views • 12 slides
The inverse ischemia problem; mathematical models and validation Bjrn Fredrik Nielsen (Simula)

The inverse ischemia problem; mathematical models and validation Bjrn Fredrik Nielsen (Simula)

The inverse ischemia problem; mathematical models and validation Bjrn Fredrik Nielsen (Simula) Marius Lysaker (Simula) Per Grttum (Fac. of medicine UiO & Simula) Martin Burger (University of Mnster) Kristina Hermann Haugaa

381 views • 21 slides
Near-Duplicate Detection for eRulemaking Hui Yang, Jamie Callan Language Technologies Institute

Near-Duplicate Detection for eRulemaking Hui Yang, Jamie Callan Language Technologies Institute

Near-Duplicate Detection for eRulemaking Hui Yang, Jamie Callan Language Technologies Institute School of Computer Science Carnegie Mellon University Stuart Shulman Library and Information Science School of Information Sciences University of

479 views • 18 slides
Scintillation Counters Unlike many other particle detectors, which exploit the ionisation produced

Scintillation Counters Unlike many other particle detectors, which exploit the ionisation produced

Detectors for Nuclear and Particle Physics Scintillation Counters Unlike many other particle detectors, which exploit the ionisation produced by the passage of a charged particle, scintillation counters rely on the atomic or molecular excitation

331 views • 5 slides

More recommend