host profiling based on remote measurements
play

Host profiling based on remote measurements Robert Kulzer Advisor: - PowerPoint PPT Presentation

Dec 10, 2023 •1.29k likes •1.55k views

Host profiling based on remote measurements Robert Kulzer Advisor: Ralph Holz Master Thesis Chair for Network Architectures and Services Technische Universit at M unchen January 9, 2013 Robert Kulzer (TU M unchen) Host profiling

  1. Host profiling based on remote measurements Robert Kulzer Advisor: Ralph Holz Master Thesis Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen January 9, 2013 Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 1

  2. Motivation Flaws in modern day Web security environment Gutmann example: Browser PKI Dubious domain having a valid SSL certificate Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 2

  3. Motivation Diversification of defense mechanisms Use a set of characteristics to classify a host Can a “Risk-Assessment” based approach help → to deduce a domain’s trustworthiness? Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 3

  4. Motivation Safe Domain name system Network configuration Domain registration information Geographic location AS information Unsafe e t n t - a k e c s m i i d R f s i i t l r a s e e v C s s s i A Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 4

  5. Goals Goals Scanner framework Data collection Unveil distinctive characteristics for known sets of domains � Temporal � Current snapshot Scanners Autonomous Systems Geographic location Whois registration information Network configuration Domain name system Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 5

  6. Approach Use distinctive sets of domains idealo.de crape.fi utp7.com urinoor.com tumblr.com dhl.de scentsy.com 96897.com wenmo.in mail.ru zeit.de critictoo.com finitysoft.com allspade.ru apple.com kicker.de firepits.com isellcc.net asfirey.net pinterest.com wetteronline.de vbulletin-tr.com m77s.cn directsupershop.com craigslist.org transfermarkt.de pigeon.cn bjahqeb.info drugfreecard.info bbc.co.uk n-tv.de detikmaya.com t5track.com esntionlatino.com ask.com ... ... ... ... ... AlDL DeAlDL RandAlDL RandMDL RecMDL Name Origin Description Amount of domains AlDL Worldwide 1,000 DeAlDL Alexa Top sites German 1,000 RandAlDL Random pick 1,000 RandMDL Random pick 1,000 DNS blackhole project RecMDL Current month 9,000 Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 6

  7. Approach Define time intervals for scan runs � Time between scans does not exceed 10 days � Use all scanners in each scan run � Two scan series Scan 1 Scan 2 Scan 3 Scan 4 Scan 5 Evaluation series Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 7

  8. Approach ASN id host_id nserver X n scanner Create tables a c S ASN log and functions id host_id ttl addr INFO: baz.org INFO: 117.es INFO: sdf9.com INFO: fsdfg.mx GeoIP 2 scanner Creating GeoIP log database schema INFO: foobar.ru INFO: 0317.dk INFO: 0s9.co.kr INFO: se57.pt S t Read a 4 Global r t configuration NMAP Domain s configuration Scanner c a scanner handler Individual domain parameters n n 1 e NMAP log and ip address feed r s INFO: 0007.ru INFO: 0317.com INFO: 0439.com INFO: 0457.com 3 Whois scanner WHOIS log INFO: bgsa.de INFO: 0651.net INFO: 0129.sk INFO: 0413.hk DNS scanner DNS log INFO: fttw4.to INFO: 7621.hu INFO: df439.ch INFO: esd3.nl Launch process Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 8

  9. Evaluation - Autonomous Systems Which set of domains shows frequent alterations in the ASN configuration? Percentage of domains where an ASN change occured 12 10 8 6 4 2 0 A D R R R l D e a a e A n n c L l d d M D A M D L l D D L L L Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 9

  10. Evaluation - Geographic location Which domain lists can be affiliated with a set of countries? Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 10

  11. Evaluation - Geographic location In which domain lists do relocations occur more often? 9 8 Percentage of hosts where country changes occured 7 6 5 4 3 2 1 0 A D R R R l D e a a e A n n c L d d M D l A M D L l D D L L L Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 11

  12. Evaluation - Whois registration information Which set of domains is registered for a shorter time? Domain list Average Q 0 . 5 AlDL 181.75 182.63 RandAlDL 84.50 73.03 RandMDL 41.25 24.37 RecMDL 44.00 24.37 (in months) Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 12

  13. Evaluation - Network configuration Which set of domains has on average more open ports? 3 2.5 2 Open ports on a domain 1.5 1 0.5 0 A D R R R l e a a e D A n n c L l d d M D A M D L l D D L L L Quantiles Q-0.3 Q-0.5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 13

  14. Evaluation - Domain name system Which group of domains changes their TTL configuration frequently? 2 1.9 1.8 Ratio (TTL changes / domain) 1.7 1.6 1.5 1.4 1.3 1.2 1.1 1 A CNAME MX NS SOA TXT Resource records AlDL DeAlDL RandAlDL RandMDL RecMDL Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 14

  15. Evaluation - Domain name system Is the use of Google’s SPF an indication for a group of domains? Append anti-spoofing entry to TXT resource records Spam prevention with SPF (Sender Policy Framework) v=spf1 +all v=spf1 mx ip4:77.232.64.0/19 +all Google Apps to create SPF entries google-site-verification=mWlqvcJ4Jx0oKel6... Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 15

  16. Evaluation - Domain name system Is the use of Google’s SPF an indication for a group of domains? 18 16 Percentage of domains using Google for SPF 14 12 10 8 6 4 scan1 scan2 scan3 scan4 scan5 AlDL DeAlDL RandAlDL RandMDL RecMDL Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 16

  17. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 17

  18. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 18

  19. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 19

  20. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 20

  21. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 21

  22. Results from related work ASN Very little clusters of AS for malicious domains exist (Kalafut et al.) Majority of AS are each linked to less than one percent of the domains DNS Passive DNS analysis reveals low TTL values for malicious domains (Bilge et al.) Other characteristics are consistent with this work Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 22

  23. Conclusion Results ASN alterations Domain registration time DNS record configuration Summary Good indicators are few No single characteristic is sufficient Future work Evaluation over a longer period of time Correlate the characteristics Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 23

  24. Thank you for your attention. Are there any questions? Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hybrid Polynomial Prediction Hybrid Polynomial Prediction The remote host can dynamically

Hybrid Polynomial Prediction Hybrid Polynomial Prediction The remote host can dynamically

Special Course on Networked Virtual February 12, 2004 Environments Hybrid Polynomial Prediction Hybrid Polynomial Prediction The remote host can dynamically choose the order of The remote host can dynamically choose the order of

111 views • 9 slides
Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory Overview and Objectives Host/IP address profiling based on flow data over some time interval 10

460 views • 18 slides
Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of

Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of

XIV International Conference on Hadron Spectroscopy Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of BB Angular Correlations based on based on based on Secondary Vertex Reconstruction Secondary

521 views • 23 slides
Expectations on Remote Data Supporting the Prometheus Remote Storage API Alfred Landrum Engineer

Expectations on Remote Data Supporting the Prometheus Remote Storage API Alfred Landrum Engineer

Expectations on Remote Data Supporting the Prometheus Remote Storage API Alfred Landrum Engineer @ Sysdig Twitter: @alfred-landrum Github: alfred-landrum Sysdig Backend Sysdig Dashboards/Alerts/Topology Host/Node based Agents Sysdig Data

544 views • 51 slides
SATELLITE REMOTE SENSING APPROACHES AND FIELD MEASUREMENTS TO TRACKING COASTLINE CHANGES OF THE

SATELLITE REMOTE SENSING APPROACHES AND FIELD MEASUREMENTS TO TRACKING COASTLINE CHANGES OF THE

RESEARCH INSTITUTE OF APPLIED INFORMATICS AND MATHEMATICAL GEOPHYSICS OF IMMANUEL KANT BALTIC FEDERAL UNIVERSITY SATELLITE REMOTE SENSING APPROACHES AND FIELD MEASUREMENTS TO TRACKING COASTLINE CHANGES OF THE SAMBIAN PENINSULA AT THE BALTIC SEA

213 views • 9 slides
Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex

Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex

' $ AIS 1 Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex February 3, 1998 ' $ AIS 2 Remote login remote login to host from host to host telnet, rlogin rlogin: mostly Unix systems

769 views • 30 slides
HostView: Annotating end-host performance measurements with user feedback Diana Joumblatt, Oana

HostView: Annotating end-host performance measurements with user feedback Diana Joumblatt, Oana

HostView: Annotating end-host performance measurements with user feedback Diana Joumblatt, Oana Goga, Renata Teixeira Laboratoire LIP6 -- CNRS and UPMC Sorbonne Universits Jaideep Chandrashekar, Nina Taft Intel Labs, Berkeley Why did we

343 views • 12 slides
Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans ,

Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans ,

Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans , NorthWest Research Associates, Redmond, Henry L. Buijs and Claude B. Roy ABB Bomem, Quebec City The Measurement Concept . gases The new AERI

329 views • 20 slides
The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling

The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling

The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling and Interpretation B. Baring Head surface CO 2 data C. Lauder ground based remote sensing CO 2 measurements D. Lauder surface CO 2 data E. Rainbow

334 views • 30 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier

Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier

Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier Carpent, Norrathep (Oak) Rattanavipanon , Gene Tsudik nrattana@uci.edu SPROUT Lab: sprout.ics.uci.edu University of California, Irvine 1

644 views • 42 slides
Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in recovering and development processes Natalia Krynsky Baal , Coordinator, Joint IDP Profiling Service WHAT IS PROFILING? Defining profiling A

439 views • 12 slides
user profiling in text-based recommender systems based on distributed word representations .

user profiling in text-based recommender systems based on distributed word representations .

user profiling in text-based recommender systems based on distributed word representations . Steklov Institute of Mathematics at St. Petersburg National Research University Higher School of Economics, St. Petersburg Kazan (Volga

429 views • 17 slides
Remote Citrus QC Measurements. Tools for Teaching and Training Jos I. Reyes De Corcuera Tracy

Remote Citrus QC Measurements. Tools for Teaching and Training Jos I. Reyes De Corcuera Tracy

Remote Citrus QC Measurements. Tools for Teaching and Training Jos I. Reyes De Corcuera Tracy Irani Art Teixeira September 16, 2010 Background 30% Teaching UF Gainesville UF Gainesville FOS 5561 CREC Lake Alfred Citrus

514 views • 32 slides
A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and Edge Profiling Bug Isolation via Remote Program Sampling Low-overhead Memory Leak Detection using Adaptive Statistical Profiling (SWAT)

178 views • 16 slides
Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of algorithms. Profiling techniques fall into two main categories: Instruction counting the number of times which particular instruction(s)

672 views • 19 slides
Data Mining and Matrices 10 Graphs II Rainer Gemulla, Pauli Miettinen Jul 4, 2013 Link

Data Mining and Matrices 10 Graphs II Rainer Gemulla, Pauli Miettinen Jul 4, 2013 Link

Data Mining and Matrices 10 Graphs II Rainer Gemulla, Pauli Miettinen Jul 4, 2013 Link analysis The web as a directed graph Set of web pages with associated textual content Hyperlinks between webpages (potentially with anchor text)

614 views • 45 slides
SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY CONNECTED WORLD SHANE MACDOUGALL TACTICAL INTELLIGENCE INC. About Me InfoSec since 1989

1k views • 79 slides
Selective Early Request Termination Selective Early Request Termination for Busy Internet

Selective Early Request Termination Selective Early Request Termination for Busy Internet

Selective Early Request Termination Selective Early Request Termination for Busy Internet Services for Busy Internet Services Jingyu Zhou and Tao Yang Zhou and Tao Yang Jingyu Ask.com Ask.com University of California, Santa Barbara

608 views • 22 slides
Improving and Proving Marketing ROI with Testing How Shoebuy.com uses cross-site testing to

Improving and Proving Marketing ROI with Testing How Shoebuy.com uses cross-site testing to

Improving and Proving Marketing ROI with Testing How Shoebuy.com uses cross-site testing to increase conversions and revenue and make smart business decisions James Keller Chief Marketing Officer About Shoebuy Case Study Background The

465 views • 29 slides
From subexponentials in linear logic to concurrent constraint programming and back Carlos Olarte

From subexponentials in linear logic to concurrent constraint programming and back Carlos Olarte

From subexponentials in linear logic to concurrent constraint programming and back Carlos Olarte Joint work with Elaine Pimentel and Vivek Nigam ECT, Universidade Federal do Rio Grande do Norte October 13, 2015 Workshop on Logic, Language and

898 views • 38 slides
Efficient Processing of Set-Similarity Joins on Large Computer Clusters Rares Vernica

Efficient Processing of Set-Similarity Joins on Large Computer Clusters Rares Vernica

Efficient Processing of Set-Similarity Joins on Large Computer Clusters Rares Vernica rares@ics.uci.edu Department of Computer Science University of California, Irvine Rares Vernica (UC Irvine) Parallel Fuzzy-Joins 1 / 39 Research Overview

1.4k views • 105 slides
Link Analysis Paolo Boldi DSI LAW (Laboratory for Web Algorithmics) Universit` a degli Studi

Link Analysis Paolo Boldi DSI LAW (Laboratory for Web Algorithmics) Universit` a degli Studi

Link Analysis Paolo Boldi DSI LAW (Laboratory for Web Algorithmics) Universit` a degli Studi di Milan Paolo Boldi Link Analysis Ranking, search engines, social networks Ranking is of uttermost importance in IR, search engines and also in

1.89k views • 178 slides
Introduction to Network Analysis saverio . giallorenzo @gmail.com 1 Web Science

Introduction to Network Analysis saverio . giallorenzo @gmail.com 1 Web Science

Web Science Introduction to Network Analysis MA Digital Humanities and Digital Knowledge, UniBo Introduction to Network Analysis saverio . giallorenzo @gmail.com 1 Web Science Introduction to Network Analysis MA Digital Humanities and

1.27k views • 39 slides

More recommend