dnssm a large scale passive dns security monitoring
play

DNSSM: A Large Scale Passive DNS Security Monitoring Framework - PowerPoint PPT Presentation

Jan 05, 2023 •37 likes •217 views

samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J er ome Fran cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor Motivation Solution

  1. samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J´ erˆ ome Fran¸ cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor

  2. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 2 / 18

  3. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 3 / 18

  4. Motivation Solution Experiments and Results Conclusion Overview of DNS ◮ DNS (Domain Name System) is the service that maps a domain name to its associated IP addresses www.example.com = ⇒ 123.45.6.78 ◮ DNS is the service that allows to find information about a domain : ◮ A : IPv4 address ◮ AAAA : IPv6 address ◮ MX : Mail server ◮ NS : Authoritative DNS server ◮ TXT : any information 4 / 18

  5. Motivation Solution Experiments and Results Conclusion Why DNS monitoring ? ◮ DNS: ◮ critical Internet service ◮ threats: cache poisoning, typosquatting, DNS tunnelling, fast/double-flux ⇒ enhance: phishing, botnet C&C communications, covered channel communications etc. ⇒ Patterns in DNS packet fields and DNS querying behavior ◮ Passive DNS monitoring to detect: ◮ worm infected hosts ◮ malicious backdoor communication ◮ botnet participating hosts ◮ phishing websites hosting 5 / 18

  6. Motivation Solution Experiments and Results Conclusion Existing solutions ◮ Mainly use supervised classification techniques ◮ SVM, tree, rules, etc. ◮ require malicious data for training ◮ Targeted identification of malicious domains ◮ C&C communication involved domains ◮ Phishing domains ◮ Spamming domains ◮ etc. 6 / 18

  7. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 7 / 18

  8. Motivation Solution Experiments and Results Conclusion Clustering Automated clustering technique for online analysis ◮ No previous knowledge ◮ Group domains regarding their activity ◮ DNS information ⇒ Domain activity ◮ Disclose the raise of new threats ◮ K-means clustering ◮ 10 relevant features 8 / 18

  9. Motivation Solution Experiments and Results Conclusion Features For each domain observed: ◮ Number of IP addresses ◮ IP scattering : entropy based and position weighted ◮ mean TTL ◮ Requests count ◮ Period of observation ◮ Requests per hour ◮ Name servers count ◮ Number of subdomains ◮ Blacklisted flag 9 / 18

  10. Motivation Solution Experiments and Results Conclusion User interface DNSSM is an approach for automated analysis of DNS (passive traffic) ◮ Manual assistance in tracking anomalies: ◮ Feed with cap file ◮ All DNS packet fields extracted ◮ MySQL database storage model ◮ Web interface ◮ Fast and efficient mining functions ◮ Integrates with existing blacklist tools to assist in tagging data ◮ Detection of fast/double flux domains, DNS tunnelling, etc. ◮ Freely downloadable at: https://gforge.inria.fr/\docman/view.php/3526/ 7602/kit_dns_anomalies.tar.gz 10 / 18

  11. Motivation Solution Experiments and Results Conclusion Architecture 11 / 18

  12. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 12 / 18

  13. Motivation Solution Experiments and Results Conclusion Experiments ◮ 2 datasets ( � = location, � = type of network, � = users, � = quantity) ◮ Automatic results from k-means: 8 clusters exhibiting different properties ◮ Cluster 5: apple.com, amazon.fr, adobe.com(highly popular websites) 13 / 18

  14. Motivation Solution Experiments and Results Conclusion Results ◮ Cluster 6: google.com. skype.com, facebook.com (higly popular web sites) ◮ Cluster 7: tradedoubler.com, doubleclick.net, quantcast.com (user tracking) ◮ Cluster 3: akamai, cloudfront.net (CDN) 14 / 18

  15. Motivation Solution Experiments and Results Conclusion Results ◮ Cluster 0: small websites with low popularity 15 / 18

  16. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 16 / 18

  17. Motivation Solution Experiments and Results Conclusion Conclusion ◮ Passive DNS monitoring solution ◮ Analysis of domain names activity ◮ Relevant data mining algorithm (unsupervised clustering techniques) ◮ Efficiency proved on two different datasets ◮ Freely downloadable interface ◮ Applications: ◮ Investigate cyber security fraud ◮ Debug DNS deployment ◮ Penetration testing 17 / 18

  18. samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J´ erˆ ome Fran¸ cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M unchen June

594 views • 17 slides
Supporting decision making in security forces command center at large-scale events via

Supporting decision making in security forces command center at large-scale events via

Supporting decision making in security forces command center at large-scale events via video-based situation monitoring and base data supply Armin Kfler 1 , Viktoria Pammer-Schindler 2 , Alexander Almer 1 , Thomas Schnabel 1 1 JOANNEUM

439 views • 42 slides
Large scale retrofit of the UK in 10 years? Aneaka Kellay, Carbon Co-op Credit: Passive House Plus

Large scale retrofit of the UK in 10 years? Aneaka Kellay, Carbon Co-op Credit: Passive House Plus

Large scale retrofit of the UK in 10 years? Aneaka Kellay, Carbon Co-op Credit: Passive House Plus Magazine, https://passivehouseplus.ie/news/health/disastrous-preston-retrofit-scheme-remains-unresolved EWI was meant to increase the value of

296 views • 8 slides
Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in Production Julien Desfossez Michel Dagenais Dcembre 2014 cole Polytechnique de Montreal Latency-tracker Kernel module to track down

524 views • 17 slides
Large-scale performance monitoring framework for cloud monitoring Live Trace Reading and

Large-scale performance monitoring framework for cloud monitoring Live Trace Reading and

Large-scale performance monitoring framework for cloud monitoring Live Trace Reading and Processing Julien Desfossez Michel Dagenais May 2014 cole Polytechnique de Montreal Live Trace Reading Read the trace while it is being recorded

357 views • 35 slides
Optimizing Sensor Deployment and Maintenance Costs for Large-Scale Environmental Monitoring

Optimizing Sensor Deployment and Maintenance Costs for Large-Scale Environmental Monitoring

Optimizing Sensor Deployment and Maintenance Costs for Large-Scale Environmental Monitoring Xiaofan Yu 1 , Kazim Ergun 1 , Ludmila Cherkasova 2 , Tajana imuni Rosing 1 1 University of California San Diego 2 Arm Research System Energy

325 views • 21 slides
Efficient and Large-Scale Infrastructure Monitoring with Tracing Julien.desfossez@ ef cios.com

Efficient and Large-Scale Infrastructure Monitoring with Tracing Julien.desfossez@ ef cios.com

CloudOpen Europe 2013 Efficient and Large-Scale Infrastructure Monitoring with Tracing Julien.desfossez@ ef cios.com 1 Content Overview of tracing and LTTng LTTng features for Cloud Providers LTTng as a monitoring tool

705 views • 25 slides
Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi

Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi

Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi fined Cyb yberinfrastr tructu ture Arnab K. Paul , Ryan Chard , Kyle Chard , Steven Tuecke , Ali R. Butt , Ian Foster

582 views • 24 slides
SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husk Petr Velan Jan Vykopal Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic:

500 views • 17 slides
Monitoring and modeling the field-level crop productivity and water uses for large-scale

Monitoring and modeling the field-level crop productivity and water uses for large-scale

Monitoring and modeling the field-level crop productivity and water uses for large-scale applications Dr. Kaiyu Guan (kaiyug@Illinois.edu) Assistant professor, Dept. of Nature Resources and Environmental Sciences Blue Waters Professor, National

400 views • 11 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS

Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS

Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS 2010 - 23.06.2010 Monitoring Goals Analysis of LAN and WAN Traffic Unaggregated raw data storage for the near past (-3 days) and long-term

612 views • 58 slides
A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

1.03k views • 72 slides
Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam

Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam

Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam Institute for Climate Impact Research (PIK) ALTER-Net Summer School, Peyresq, 07 Sep 2008 What makes God laugh? Tell him about your future

353 views • 21 slides
Large-scale performance monitoring framework Julien Desfossez Michel Dagenais May 2013 cole

Large-scale performance monitoring framework Julien Desfossez Michel Dagenais May 2013 cole

Large-scale performance monitoring framework Julien Desfossez Michel Dagenais May 2013 cole Polytechnique de Montreal Summary Introduction Research question Objectives Litterature review Detailled objectives Future

570 views • 28 slides
LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb

LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb

LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb arneos@uninett.no UNINETT Evangelos Markatos & Panos Trimintzios markatos@ics.forth.gr ptrim@ics.forth.gr FORTH Broadband Europe 8-10 December, Brugge

97 views • 8 slides
The YES, NO, and MAYBE of Can we build that with Drupal? Joshua Lieb,

The YES, NO, and MAYBE of Can we build that with Drupal? Joshua Lieb,

The YES, NO, and MAYBE of Can we build that with Drupal? Joshua Lieb, Phase2 July 23, 2015 Drupal GovCon 2015 Can I build it with Drupal? Drupal has come a long way in the last fifteen years - I dont know what the

440 views • 29 slides
November/December 2013 Presented to: Joint Health & Safety Committee (JHSC) Presented by:

November/December 2013 Presented to: Joint Health & Safety Committee (JHSC) Presented by:

JHSC Workplace Inspections November/December 2013 Presented to: Joint Health & Safety Committee (JHSC) Presented by: Christine Weidner Health & Safety Officer, Faculty of Arts & Science /EHS Objective identify existing and

735 views • 28 slides
LONG RANGE PLANNING COMMITTEE MEETING Wednesday, May 9, 2018 6:00 PM 8:00 PM Eaton School

LONG RANGE PLANNING COMMITTEE MEETING Wednesday, May 9, 2018 6:00 PM 8:00 PM Eaton School

LONG RANGE PLANNING COMMITTEE MEETING Wednesday, May 9, 2018 6:00 PM 8:00 PM Eaton School District Administration Building AGENDA 1 Outgoing Superintendent 4 RB+B Architects Introductory Remarks Bond Program Design 2 RLH Engineering

690 views • 39 slides
EU Dinner Debate with MEPs and the Commission Brussels, 17 NOVEMBER 2015 Introduction Who

EU Dinner Debate with MEPs and the Commission Brussels, 17 NOVEMBER 2015 Introduction Who

EU Dinner Debate with MEPs and the Commission Brussels, 17 NOVEMBER 2015 Introduction Who and what is Glass Alliance Europe? EU level alliance of sectoral and national bodies 14 national trade associations Flat, container, fibre,

299 views • 18 slides
Historic Landscape Project 1 Why use social media? Infinite readership massive marketing

Historic Landscape Project 1 Why use social media? Infinite readership massive marketing

Historic Landscape Project 1 Why use social media? Infinite readership massive marketing potential (Even if your own Facebook page only has 40 Likes (followers), you can post something on it and ask for people to Like and Share, and if

862 views • 47 slides
BUILDING FOR THE FUTURE Our Vision is to be an International Class Retail Business providing

BUILDING FOR THE FUTURE Our Vision is to be an International Class Retail Business providing

1 Presentation after 16 16 months of ownership in Myers 50 50 month Turnaround programme BUILDING FOR THE FUTURE Our Vision is to be an International Class Retail Business providing Inspiration to Everyone Myer Full Year Results to 28

812 views • 30 slides
NVA A NVA Annual Meeting l M 2013 2013 M Mission and Vision d V Mission: NVA will embrace,

NVA A NVA Annual Meeting l M 2013 2013 M Mission and Vision d V Mission: NVA will embrace,

NVA A NVA Annual Meeting l M 2013 2013 M Mission and Vision d V Mission: NVA will embrace, protect, M NVA , p , develop, and enhance Alutiiq culture, protect our traditional use areas and encourage unity among the Alutiiq of

451 views • 10 slides
Healthy Living ffjoH H Ydka; fygsgswdr drpsp psps fi!L !LH wOHdmk ldhdxYh Dr.Shantha

Healthy Living ffjoH H Ydka; fygsgswdr drpsp psps fi!L !LH wOHdmk ldhdxYh Dr.Shantha

iqjm jm;a ;a os osjs jshl hlg Healthy Living ffjoH H Ydka; fygsgswdr drpsp psps fi!L !LH wOHdmk ldhdxYh Dr.Shantha Hettiarachchi Health Education Bureau fi fi!LHh .. Health means.. ld ldhsl , udki kisl , iu iudcSh h hyme

570 views • 14 slides

More recommend