detecting hidden anomalies in dns communication
play

Detecting Hidden Anomalies in DNS Communication CZ.NIC Ondrej - PowerPoint PPT Presentation

Jan 23, 2023 •185 likes •366 views

Detecting Hidden Anomalies in DNS Communication CZ.NIC Ondrej Mikle-Barat / ondrej.mikle@nic.cz Karel Slan / karel.slany@nic.cz 18. 10. 2011 1 Outline Motivation Method description original work algorithm DNS specifics

  1. Detecting Hidden Anomalies in DNS Communication CZ.NIC Ondrej Mikle-Barat / ondrej.mikle@nic.cz Karel Slaný / karel.slany@nic.cz 18. 10. 2011 1

  2. Outline ● Motivation ● Method description – original work – algorithm – DNS specifics ● Experiments – set-up – results ● Conclusion 2

  3. Motivation ● Most of the internet communication starts with a DNS query. – There is a possibility to track communication at a certain level of DNS hierarchy. e.g. for intrusion detection, botnet discovery – ● We want a tool that is able to: – detect suspicious behaviour – scan high volume traffic – detect low volume anomalies – works in real-time = low computation cost – does not need any initial knowledge about the analysed traffic ● Will the tool be able to detect something at a ccTLD? 3

  4. Original Work Extracting Hidden Anomalies using Sketch and Non Gaussian Multiresolution Statistical Detection Procedures by G. Dewaele, K. Fukuda, P. Borgnat, P. Abry, K. Cho ● Blindly analyses large-scale packet trace databases. ● Able to detect short-lived anomalies as well as longer ones. ● Detection method is sensitive to statistical characteristics. ● Promises a very low computation cost. 4

  5. Method Description ● The algorithm analyses the traffic using a sliding time-window within which the analysis is performed. ● The analysis iterates over following steps: 1) random projection - sketches 2) data aggregation 3) Gamma distribution estimation 4) reference values computation 5) distance from reference evaluation 6) sketch combination and anomaly identification 5

  6. Random Projections ● A fixed size time-window of captured traffic is split into sketches using a hash function. ● Selected packet attribute (policy) serves as hash key. ● Hash table size is fixed. 6

  7. Aggregation, Gamma Distribution Parameters ● The sketches are aggregated jointly over a collection of aggregation levels to form a series of packet counts which arrived during an aggregation period. – Aggregation levels transform the time-scale granularity. ● Data from the aggregated time series are modelled using Gamma distribution. – Shape ( α ) and scale ( β ) Gamma distribution parameters are computed for each aggregation level. level 1 0 2 1 0 2 α 1, β 1 2 1 1 1 1 2 2 1 1 2 2 2 2 α 2 , β 2 level 2 3 1 3 2 3 3 4 level 3 4 5 5 7 α 3 , β 3 level 4 9 12 α 4 , β 4 7

  8. Reference Values, Identification of Anomalous Sketches ● For each aggregation level across all sketches standard sample mean and variance of the computed Gamma parameters are computed. ● For each sketch the average Mahalanobis distance to the 'centre of gravity' is computed. ● Sketches with their average distance exceeding a given threshold are marked as anomalous. β 3 β 1 α 3 α 1 β 2 β 4 8 α 2 α 4

  9. Anomaly Identification ● All packet attributes (hash keys) contained in an anomalous sketch are considered suspicious. ● Using a different hash function provides a different mapping into sketches resulting in various anomalous sketches. ● A list of attributes corresponding to detected anomalies is obtained by combining the results for several hash functions and computing the intersection of anomalous sketches. 9

  10. Modification for DNS ● The method was designed to analyse the whole TCP/IP traffic. – Works with TCP/IP connection identifiers (src/dst port/address). ● We extended it to meet DNS traffic specifics. ● Policies: – IP address policy Based on original paper, uses the TCP/IP connection identifiers. – Supports IPv4 and IPv6. – Helps finding suspicious traffic sources. – – Query name policy First domain name of the query is extracted and used as hash key. – Helps finding suspicious traffic from legitimate sources. – 10

  11. The Tool ● The algorithm is implemented using C++. ● It is freely available at git://git.nic.cz/dns-anomaly/ – licensed under GPLv3 ● Command line parameters: – window size + detection interval – count of aggregation levels Aggregation steps are power of 2 in seconds (i.e. 1,2,4,8,...). – – analyse shape, scale or both – detection threshold – policy – hash function count – sketch count (hash table size) 11

  12. Experiments Tested on DITL 2011 data collected in April 2011 on .cz authoritative DNS servers. parameter value time-window size 10 minutes detection interval 10 minutes hash function count 25 hash table size 32 aggregation levels 8 distance threshold 0.8 12

  13. Results Types of traffic labelled as anomalies: ● Traffic form legitimate sources (exhibiting specific patterns) – large recursive resolvers, web crawlers ● Domain enumeration – Blind or dictionary based (gTLD domain, prefix and postfix alteration for given words – e.g. bank or various trademarks) – With the knowledge of the content (little or no NXDOMAIN replies) ● Suspicious – Traffic generated by broken resolvers or testing scripts. e.g. bursts of queries for the same name from single host – – Repeated queries due to short TTL 13

  14. Generic Traffic Recursive resolver Web crawler farm srcIP policy srcIP policy Originates at webhosting/ISP. The pattern is very Possibly web crawlers. They generate lots of regular with a period of approximately 12 seconds. queries whenever they encounter sites with many references. 14

  15. Domain Enumeration Blind domain enumeration Known domain enumeration srcIP policy srcIP policy When analysing the DNS queries a pattern The source must have a very good knowledge emerged – prefixes and postfixes variation using about the content of the domain. Very few well-known trademarks. NXDOMAIN replies are generated. 15

  16. Other Suspicious Broken resolver Possible spam attack srcIP policy qname policy Hundreds of queries for a single record are Multiple hosts are querying same MX record. generated in less than two seconds. ??? qname policy Multiple hosts evenly distributed around the world are generating bursts of queries for the same record. The pattern is visible throughout the entire tested period - always as characteristic spikes. 16

  17. Conclusion ● The tool is able to pinpoint low- and high-volume anomalies. ● Two policies implemented with different effect: – IP policy serves best for domain enumeration detection. – Query name policy divulges domain-related events. e.g. presence of short TTL domains (fast flux) – ● The classification of the anomalies is currently left to be done manually. – Future work: automate this process. 17

  18. The End Thank you for your attention. Questions? 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting Anomalies in Inter- hosts Communication Graph Jan, 14, 2009 Keisuke ISHIBASHI*,

Detecting Anomalies in Inter- hosts Communication Graph Jan, 14, 2009 Keisuke ISHIBASHI*,

Detecting Anomalies in Inter- hosts Communication Graph Jan, 14, 2009 Keisuke ISHIBASHI*, Tsuyoshi KONDOH*, Shigeaki HARADA , Tatsuya MORI , Ryoichi KAWAHARA , Shoichiro ASANO *NTT Information Platform Labs. NTT Service

356 views • 17 slides
Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts Promotor: Prof. Hendrik Blockeel Thesis Defence Co-promoter: Ronald Geens Jun 30, 2017 Goal and Context Goal and Context The QLAD System Results

359 views • 31 slides
Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts ,

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts ,

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts , Maarten Bosteels, Jesse Davis and Wannes Meert Goal and Context Goal and Context The QLAD System Results Conclusion DNS The Domain Name System

659 views • 26 slides
Unsupervised learning in medical imaging Discovering phenotypes and detecting anomalies Johannes

Unsupervised learning in medical imaging Discovering phenotypes and detecting anomalies Johannes

Unsupervised learning in medical imaging Discovering phenotypes and detecting anomalies Johannes Hofmanninger many slides by Georg Langs Medical University of Vienna Department for Biomedical Imaging and Image-guided Therapy Computational

1.65k views • 112 slides
Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics

Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics

Detecting routing anomalies using RIPE Atlas Todor Yakimov Graduate School of Informatics University of Amsterdam Wednesday, February 5, 2014 Todor Yakimov (UvA) Detecting routing anomalies using RIPE Atlas Wednesday, February 5, 2014 1 / 17

723 views • 17 slides
Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 , Rui Shao 2 , Yan Chen 3 , Xiang Pan 3 , Shihong Zou 4 , and Ryan Riley 5 1 University of Wisconsin and Pennsylvania State University 2 Zhejiang

490 views • 27 slides
Detecting Changes and Anomalies in Noisy Text Streams Jerry Wright Networking and Services

Detecting Changes and Anomalies in Noisy Text Streams Jerry Wright Networking and Services

CoCITe Noise Mixture Distributions Results Summary Detecting Changes and Anomalies in Noisy Text Streams Jerry Wright Networking and Services Research Lab AT&T Labs Research 15 February 2010 Noisy Text Streams CoCITe Noise

350 views • 34 slides
The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

Detecting Anomalies Andreas Zeller 1 Tracing Infections For every infection, we must find the earlier infection that causes it. Which origin should we focus upon? 2 2 Tracing Infections 3 3 Focusing on Anomalies

522 views • 27 slides
Group Communication Analysis A computational linguistics approach for detecting sociocognitive

Group Communication Analysis A computational linguistics approach for detecting sociocognitive

Group Communication Analysis A computational linguistics approach for detecting sociocognitive roles in multi-party interactions Dr. Nia Dowell Postdoctoral Research Fellow School of Information Digital Innovation Greenhouse University of

826 views • 46 slides
Outline 1) Incorporating theoretical systematics in p fits 2) Spectral anomalies Frequentist

Outline 1) Incorporating theoretical systematics in p fits 2) Spectral anomalies Frequentist

Is DM hidden in the p flux? Pierre Outline 1) Incorporating theoretical systematics in p fits 2) Spectral anomalies Frequentist vs Bayesian 3) A few recent examples CRAC meeting Grenoble July 5, 2019 1) Incorporating theoretical

386 views • 11 slides
Building Calibration Standard for Remote Field Eddy Current Technique Detecting Deeply Hidden

Building Calibration Standard for Remote Field Eddy Current Technique Detecting Deeply Hidden

Innovative Materials Testing Technologies, Inc. Building Calibration Standard for Remote Field Eddy Current Technique Detecting Deeply Hidden Corrosion in Aircraft Structures Yushi Sun Innovative Materials Testing Technologies, Inc. 2501 N.

1k views • 53 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more

Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more

Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more reliable? Testing, code inspection, etc. Mining anomalies, etc. In general: automatic defect detection 2 Overview Automatic Defect

446 views • 19 slides
Method Specifications using primitive data x = 6 x {2, 5, 30} x < y y = 5x + 10 z =

Method Specifications using primitive data x = 6 x {2, 5, 30} x < y y = 5x + 10 z =

Detecting Anomalies Andreas Zeller 1 Whats abnormal? Suppose we determine common properties of all passing runs. Now we examine a run which fails the test. Any difference in properties correlates with failure and is likely to

460 views • 14 slides
Hidden Data in Internet Published Documents 2004-12-27 21. Chaos Communication Congress 2004

Hidden Data in Internet Published Documents 2004-12-27 21. Chaos Communication Congress 2004

Far More Than You Ever Wanted To Tell Hidden Data in Internet Published Documents 2004-12-27 21. Chaos Communication Congress 2004 Steven J. Murdoch & Maximillian Dornseif See http://md.hudora.de/presentations/#hiddendata-21c3 This

1.16k views • 86 slides
SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

U U U U U U U- U - - communication - - - - - communication communication communication communication communication communication communication Korea Mobile Market Trend for Convergence & Ubiquitous Communication 2004.

400 views • 16 slides
NOT EXACTLY! APPROXIMATE ALGORITHMS FOR BIG DATA FANGJIN YANG DRUID COMMITTER METAMARKETS

NOT EXACTLY! APPROXIMATE ALGORITHMS FOR BIG DATA FANGJIN YANG DRUID COMMITTER METAMARKETS

NOT EXACTLY! APPROXIMATE ALGORITHMS FOR BIG DATA FANGJIN YANG DRUID COMMITTER METAMARKETS NELSON RAY QUANTITATIVE ANALYST GOOGLE OVERVIEW THE PROBLEM MANAGE DATA COST EFFICIENTLY THE DATA DEALING WITH EVENT STREAMS SIMPLIFYING

1.11k views • 64 slides
Autoplacer : Scalable Self-Tuning Data Placement in Distributed Key-value Stores ICAC13 Jo

Autoplacer : Scalable Self-Tuning Data Placement in Distributed Key-value Stores ICAC13 Jo

Autoplacer : Scalable Self-Tuning Data Placement in Distributed Key-value Stores ICAC13 Jo ao Paiva , Pedro Ruivo, Paolo Romano, Lu s Rodrigues Instituto Superior T ecnico / Inesc-ID, Lisboa, Portugal June 27, 2013 Outline

605 views • 48 slides
Using OpenACC to parallelize irregular computation (Session:S7478) Sunita Chandrasekaran Arnov

Using OpenACC to parallelize irregular computation (Session:S7478) Sunita Chandrasekaran Arnov

Using OpenACC to parallelize irregular computation (Session:S7478) Sunita Chandrasekaran Arnov Sinha (arnov@udel.edu) (schandra@udel.edu) M.S. (Graduating Summer17) Assistant Professor University of Delaware, DE, USA May 10, GTC 2017,

436 views • 22 slides
Scalable Content- Addressable Network Eireann Leverett How Torus We use a Torus because it is

Scalable Content- Addressable Network Eireann Leverett How Torus We use a Torus because it is

Scalable Content- Addressable Network Eireann Leverett How Torus We use a Torus because it is un- Dimensions ending in each Nodes dimension. It is a Hashing circle where the last Realities address neighbours Zone takeover the first,

922 views • 10 slides
Ahoy: A Proximity-Based Discovery Protocol Robbert Haarman Contents 1. Introduction to Ahoy 2.

Ahoy: A Proximity-Based Discovery Protocol Robbert Haarman Contents 1. Introduction to Ahoy 2.

Ahoy: A Proximity-Based Discovery Protocol Robbert Haarman Contents 1. Introduction to Ahoy 2. Protocol Overview 3. Message Types 4. Attenuated Bloom Filters 5. My Contributions 6. Summary 7. Questions Part 1 Introduction to Ahoy What is

1.23k views • 71 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
Message-locked Encryption with Deduplication Consistency Sbastien Canard 1 , Fabien Laguillaumie

Message-locked Encryption with Deduplication Consistency Sbastien Canard 1 , Fabien Laguillaumie

Message-locked Encryption with Deduplication Consistency Sbastien Canard 1 , Fabien Laguillaumie 2 and Marie Paindavoine 1,2 1 Orange Labs, Applied Crypto Group, France. 2 Universit Claude Bernard Lyon 1, LIP (CNRS/ENSL/INRIA/UCBL), France.

256 views • 11 slides
File Organisation Part - II Dr. V. V. Subrahmanyam Associate Professor, SOCIS, IGNOU Heap File

File Organisation Part - II Dr. V. V. Subrahmanyam Associate Professor, SOCIS, IGNOU Heap File

File Organisation Part - II Dr. V. V. Subrahmanyam Associate Professor, SOCIS, IGNOU Heap File Organisation The simplest file structure is an unordered file or heap file. The data in the pages of a heap file is not ordered. Every

618 views • 25 slides

More recommend