floncon 2013 january 7 10 albuquerque new mexico
play

FlonCon 2013 | January 7 10 | Albuquerque, New Mexico Introductions - PowerPoint PPT Presentation

Oct 22, 2023 •237 likes •502 views

John Munro / jmunro@endgame.com Jason Trost / jtrost@endgame.com FlonCon 2013 | January 7 10 | Albuquerque, New Mexico Introductions John Munro (jmunro@endgame.com) Network Security Researcher and Data Scientist Jason Trost

  1. John Munro / jmunro@endgame.com Jason Trost / jtrost@endgame.com FlonCon 2013 | January 7 – 10 | Albuquerque, New Mexico

  2. Introductions • John Munro (jmunro@endgame.com) – Network Security Researcher and Data Scientist • Jason Trost (jtrost@endgame.com) – Senior Software Engineer – Specializes in Hadoop/Storm/BigData

  3. Agenda • The Problem • Our Approach • DGA Domain Classifier • String Statistics as Features • Malicious Domain Classifier • Demo • Real-time Streaming Platform

  4. The Problem txmxbo.info youtube.com yahoo.com Ct0u2xj5dbe4.wvw — game465.com p4.httzd5e2ufizo.3bawhfuec45dca65.401724.s1.v4.ipv6-exp.l.google.com abulqe.com za6.limfoklubs.com ns3.ohio.gov bibz01.apple.com docs.joomla.org Wmk41035u3751s0bgv4n91b0b7h74v.ipcheker.com

  5. The Problem txmxbo.info youtube.com yahoo.com Ct0u2xj5dbe4.wvw — game465.com p4.httzd5e2ufizo.3bawhfuec45dca65.401724.s1.v4.ipv6-exp.l.google.com abulqe.com za6.limfoklubs.com ns3.ohio.gov bibz01.apple.com docs.joomla.org Wmk41035u3751s0bgv4n91b0b7h74v.ipcheker.com

  6. The Problem • Massive Volumes – Some of our partners deal with TBs per day of DNS PCAPs • Incredible Rates – One partner sees 13k requests/sec – Another closer to 100k/sec

  7. Our Approach: Machine Learning! • Real-time streaming classification – In parallel across multiple servers • Markov Models – Random Domain Generation Traffic – Normal Benign Traffic • Random Forests – Benign vs Malicious • Periodically retrained – In order to maintain accuracy

  8. Data Sources • Benign Domains – Millions of popular, real domains • Correlated with the Alexa top 10k domains • Malicious Domains – 800k domains gathered from an internal malware sandbox – Public blacklist domains from Conficker and Murofet Botnets

  9. Markov Models

  10. Markovian DGA Classifier • Domain Generation Algorithm (DGA) • Popular Domain Model – Trained: 258,039 domains from Day 1 of our Benign set – Tested: 331,359 domains from Day 2 of our Benign set – Accuracy: 99.40 % with 1,458 Unknown • Randomly Generated Domain Model – Trained: 90,884 domains from Conficker Botnet – Tested: 295,306 domains from Murofet Botnet – Accuracy: 99.34 % with 1,923 Unknown

  11. String Statistics as Features

  12. Feature Usefulness

  13. Random Forests Algorithm FPO VIDEO TO COME

  14. Random Forests • Pros: – Very high accuracy – Scalable across many nodes – Built-in protection from over fitting – Can handle very large data sets with many features – Robust with respect to goodness of features – Practical for real world use – Does not assume a distribution – Only two parameters to tune – Memory efficient • Cons: – Not the quickest classifier, but plenty fast in practice

  15. Malicious Domain Classifier • Performance measured by 10 – fold Cross Validation • Training Set Cross Validation – 200k Benign 0.06 0.05 – 200k Malicious Out of Bag Error 0.04 0.03 0.02 0.01 0 10 20 30 40 50 60 70 80 90 100 Number of Trees K = 3 K = 5 K = 10

  16. Results Bad Precision Good Precision 0.984 0.9795 0.979 0.983 0.9785 0.982 0.978 0.981 Precision Precision 0.9775 0.98 0.977 0.979 0.9765 0.978 0.976 0.977 0.9755 0.976 0.975 0.975 0.9745 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100 Number of Trees Number of Trees Bad Accuracy Good Accuracy 0.9805 0.9805 0.98 0.98 0.9795 0.9795 0.979 0.979 Accuracy Accuracy 0.9785 0.9785 0.978 0.978 0.9775 0.9775 0.977 0.977 0.9765 0.9765 0.976 0.976 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100 Number of Trees Number of Trees K = 3 K = 5 K = 10

  17. Results Model Size 400 350 Model Size (MB) 300 250 K=3 200 150 K=5 100 K=10 50 0 10 20 30 40 50 60 70 80 90 100 Number of Trees Classification Throughput 60,000 50,000 Classifications/sec 40,000 K=3 K=5 30,000 K=10 20,000 10,000 0 10 20 30 40 50 60 70 80 90 100 Number of Trees

  18. Results

  19. Demo

  20. Realtime Streaming Platform • Velocity is a platform for processing, analyzing, and visualizing large-scale event data in real- time • It was designed to be horizontally scalable and is built using Twitter’s Storm • It was built primarily for internal use with DNS events, IDS alerts, and netflow data, but it is in the process of being commercialized

  21. Velocity Pipeline

  22. Conclusion • Malicious domain classification • DGA domain identification using Markov Models • Summary Statistics based on domain string work well • Random Forests are very successful at classifying domains as Benign or Malicious • Real-time, distributed implementation

  23. Future Work • Include more features: TTL, frequency seen, etc. • Correlation of bad domains based on ASN, Country, Organization, etc. • Identify subnets that are infected based on high traffic to bad domains • Identify Content Delivery Networks • Self Organizing Maps and other visualizations

  24. Questions

  25. Contact Information • John Munro • Email: jmunro@endgame.com • Jason Trost • Email: jtrost@endgame.com • Twitter: @jason_trost • Blog: www.covert.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CAMPUS MARKET PLACE DEVELOPMENT UNIVERSITY OF NEW MEXICO ALBUQUERQUE, NEW MEXICO * TRADE

CAMPUS MARKET PLACE DEVELOPMENT UNIVERSITY OF NEW MEXICO ALBUQUERQUE, NEW MEXICO * TRADE

CAMPUS MARKET PLACE DEVELOPMENT UNIVERSITY OF NEW MEXICO ALBUQUERQUE, NEW MEXICO * TRADE SECRETS/CONFIDENTIAL/PROPRIETARY Albuquerque, New Mexico University of New Mexico Site Development Nov. 12, 2013 1.0 TABLE OF CONTENTS I. PROJECT

1.44k views • 104 slides
Albuquerque, New Mexico Prepared By: Katharine Winograd, President , Central New Mexico Community

Albuquerque, New Mexico Prepared By: Katharine Winograd, President , Central New Mexico Community

Prepared For: The Albuquerque Quality Network January 22, 2015 Albuquerque, New Mexico Prepared By: Katharine Winograd, President , Central New Mexico Community College Peter Winograd, Professor Emeritus , UNM Center for Education Policy

480 views • 30 slides
and Strategies Childrens Law Institute, Albuquerque, New Mexico January 13, 2017 Presenters

and Strategies Childrens Law Institute, Albuquerque, New Mexico January 13, 2017 Presenters

Case Plan Drug Testing: Myths, Best Practices, and Strategies Childrens Law Institute, Albuquerque, New Mexico January 13, 2017 Presenters Jennifer Olson , Attorney, Respondents Contract Counsel, Solo Practitioner, Farmington Robert

755 views • 27 slides
New Mexico Evaluators Social Justice & Evaluation Conference September 12, 2017 Albuquerque,

New Mexico Evaluators Social Justice & Evaluation Conference September 12, 2017 Albuquerque,

New Mexico Evaluators Social Justice & Evaluation Conference September 12, 2017 Albuquerque, NM The Journey of One Aspiring Culturally Responsive Evaluator and Lessons Learned Along the Way: A Welcomed Return to New Mexico Stafford Hood,

579 views • 23 slides
Albuquerque 3/22/2014 It is time to come home to Albuquerque Jewel & Sid Cutter 3/22/2014

Albuquerque 3/22/2014 It is time to come home to Albuquerque Jewel & Sid Cutter 3/22/2014

Albuquerque 3/22/2014 It is time to come home to Albuquerque Jewel & Sid Cutter 3/22/2014 It is time to come home to Albuquerque New Mexico State Fairgrounds Albuquerque 1974 3/22/2014 It is time to come home to Albuquerque Balloon

787 views • 49 slides
New Mexico Science Teachers Association PO Box 30304 Albuquerque, NM 87190 22 September

New Mexico Science Teachers Association PO Box 30304 Albuquerque, NM 87190 22 September

New Mexico Science Teachers Association PO Box 30304 Albuquerque, NM 87190 22 September 2018 Mimi Stewart, Chair Anna Suggs, Legislative Education Study Committee President State Capitol North 325 Don Gaspar, Suite 200 Jessica

349 views • 21 slides
Norman Gaume, P.E. (ret.) 44 Canoncito Dr NE Albuquerque, New Mexico 87122 505 690-7768

Norman Gaume, P.E. (ret.) 44 Canoncito Dr NE Albuquerque, New Mexico 87122 505 690-7768

Norman Gaume, P.E. (ret.) 44 Canoncito Dr NE Albuquerque, New Mexico 87122 505 690-7768 gaume@newmexico.com TESTIMONY August 31, 2015 Water and Natural Resources Committee New

507 views • 4 slides
New Mexico Primary Care Training Consortium Primary Care in the Land of Enchantment Albuquerque

New Mexico Primary Care Training Consortium Primary Care in the Land of Enchantment Albuquerque

New Mexico Primary Care Training Consortium Primary Care in the Land of Enchantment Albuquerque Santa Fe Primary Care Training In New Mexico Silver City Las Cruces Mor ore t to C o Com ome NMPCTC CONFERENCE SPONSORS Burre rrell

427 views • 8 slides
3 Climate and Environmental Physics, Physics Institute, University of Bern, Switzerland Mesilla

3 Climate and Environmental Physics, Physics Institute, University of Bern, Switzerland Mesilla

Andrew Robertson 1 , Kenneth Carroll 2 , Chris Kubicki 2 , Roland Purtschert 3 1 USGS New Mexico Water Science Center, Albuquerque, New Mexico, USA 2 New Mexico State University, Las Cruces, New Mexico, USA 3 Climate and Environmental Physics,

822 views • 12 slides
Toward Conveniently Handling Bi-Level Optimization Problems David M. Gay AMPL Optimization, Inc.

Toward Conveniently Handling Bi-Level Optimization Problems David M. Gay AMPL Optimization, Inc.

U.S. & Mexico Workshop on Optimization and its Applications Huatulco, Mexico, 812 January 2018 Toward Conveniently Handling Bi-Level Optimization Problems David M. Gay AMPL Optimization, Inc. Albuquerque, New Mexico, U.S.A.

460 views • 27 slides
Quantum Transport in InAs/GaSb Wei Pan Sandia National Laboratories Albuquerque, New Mexico, USA

Quantum Transport in InAs/GaSb Wei Pan Sandia National Laboratories Albuquerque, New Mexico, USA

Quantum Transport in InAs/GaSb Wei Pan Sandia National Laboratories Albuquerque, New Mexico, USA Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin

833 views • 36 slides
WIPP Update New Mexico Society of Professional Engineers June 11, 2017 Albuquerque, NM

WIPP Update New Mexico Society of Professional Engineers June 11, 2017 Albuquerque, NM

WIPP Update New Mexico Society of Professional Engineers June 11, 2017 Albuquerque, NM www.energy.gov/EM 1 WIPP Configuration 2 www.energy.gov/EM 2 WI WIPP PP Bac ackground ound Facility mined in salt: 2,150 feet deep in ancient

548 views • 21 slides
Bingdong Li , Jeff Springer , Mehmet Gunes , George Bebis University of Nevada Reno FloCon 2013

Bingdong Li , Jeff Springer , Mehmet Gunes , George Bebis University of Nevada Reno FloCon 2013

A Distributed Network Security Analysis System Based on Apache Hadoop-Related T echnologies Bingdong Li , Jeff Springer , Mehmet Gunes , George Bebis University of Nevada Reno FloCon 2013 January 7-10, Albuquerque, New Mexico Agenda

493 views • 31 slides
January 2013 Cancun, Mexico 0 Disclaimer (1) Statements made in this presentation that relate to

January 2013 Cancun, Mexico 0 Disclaimer (1) Statements made in this presentation that relate to

Ricardo Reyes - CFO Felipe Arancibia - Deputy CFO 17 th Annual Latam Conference January 2013 Cancun, Mexico 0 Disclaimer (1) Statements made in this presentation that relate to CCU s future performance or financial results are

435 views • 22 slides
The New Mexico Jobs Council The New Mexico Jobs Council (NMJC) formed in 2013 when New Mexico

The New Mexico Jobs Council The New Mexico Jobs Council (NMJC) formed in 2013 when New Mexico

The New Mexico Jobs Council The New Mexico Jobs Council (NMJC) formed in 2013 when New Mexico legislative leadership approached The CELab to develop a framework and a process to help them determine what it would take to return the state to full

1.13k views • 44 slides
Restoration of Pronghorn Antelope on the Pueblo of Santa Ana, New Mexico a collaborative effort

Restoration of Pronghorn Antelope on the Pueblo of Santa Ana, New Mexico a collaborative effort

Restoration of Pronghorn Antelope on the Pueblo of Santa Ana, New Mexico a collaborative effort between New Mexico State Game Commission Albuquerque, NM September 29, 2015 Project History: Sept 2007- received grant through USFWS TWGP and

214 views • 6 slides
Parent Survey Results FALL 2018 SCHOOL ENVIRONMENT SURVEY Board of Education Meeting - February

Parent Survey Results FALL 2018 SCHOOL ENVIRONMENT SURVEY Board of Education Meeting - February

Parent Survey Results FALL 2018 SCHOOL ENVIRONMENT SURVEY Board of Education Meeting - February 11, 2019 Parent Survey Results Parent Survey Results Details Administered in November - December 2018 Offered in English and Spanish

613 views • 23 slides
Evaluation: Hot tips from The Ian Potter Foundation Dr Squirrel Main, Research and Evaluation

Evaluation: Hot tips from The Ian Potter Foundation Dr Squirrel Main, Research and Evaluation

Evaluation: Hot tips from The Ian Potter Foundation Dr Squirrel Main, Research and Evaluation Manager Before we begin Please note that IPF staff may be taking photos/videos during this workshop for social media purposes. If you do not

515 views • 23 slides
Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt? Squirrels are hunted in the fall, when the weather isnt too cold or hot Not a lot of expensive gear/equipment required Hunting doesnt require

578 views • 26 slides
PLANNING & COMMUNITY DEVELOPMENT Welcome 8/22/2016 Outline 2025 Comprehensive Plan -

PLANNING & COMMUNITY DEVELOPMENT Welcome 8/22/2016 Outline 2025 Comprehensive Plan -

PLANNING & COMMUNITY DEVELOPMENT Welcome 8/22/2016 Outline 2025 Comprehensive Plan - Background Draft Plan Next Steps Schedule Questions/Comments 8/22/2016 Public Participation Community Advocates: Kick Off

422 views • 13 slides
http://ahmedelsabban.weebly.com/ -Website: WORK EXPERENCE 2006-2012 - I have been work at

http://ahmedelsabban.weebly.com/ -Website: WORK EXPERENCE 2006-2012 - I have been work at

2min PERSONAL DETAILS - Full Name: Ahmed Elsabban - Address: 126 SANTRY CLOSE SANTRY DUBLIN9 - Day of Birth: 8/12/1982 -Phone : 0 87 708 2963 -E-mail : ahmed.elsabban0@gmail.com http://ahmedelsabban.weebly.com/ -Website: WORK EXPERENCE

269 views • 6 slides
Maintaining red squirrel range: Hair, blood and nuts Nick Mason & Scott Tullock 1945 2010

Maintaining red squirrel range: Hair, blood and nuts Nick Mason & Scott Tullock 1945 2010

Maintaining red squirrel range: Hair, blood and nuts Nick Mason & Scott Tullock 1945 2010 The conservation equation = + Disease or out competition Mission 2012-15 Secure and increase red squirrel range in Northern England. Direct

642 views • 17 slides
Application Layer Multicast Instructor: Hamid R. Rabiee Spring 2012 Outline Introduction

Application Layer Multicast Instructor: Hamid R. Rabiee Spring 2012 Outline Introduction

Application Layer Multicast Instructor: Hamid R. Rabiee Spring 2012 Outline Introduction IP Multicast vs. Application-Layer Multicast Limitations of IP Multicast Deployment level in ALM Multicast Tree Formation Tree-first

521 views • 39 slides
B Y 1 About At Ohh Deer we work with a vast catalogue of talented artists but we wanted the

B Y 1 About At Ohh Deer we work with a vast catalogue of talented artists but we wanted the

B Y 1 About At Ohh Deer we work with a vast catalogue of talented artists but we wanted the opportunity to collaborate with a whole host of others whose work we love too, so we created Off Centre! Through Off Centre, we can offer greetings and

567 views • 33 slides

More recommend