Melting the Snow Using Active DNS Measurements to Detect Snowshoe - - PowerPoint PPT Presentation

melting the snow
SMART_READER_LITE
LIVE PREVIEW

Melting the Snow Using Active DNS Measurements to Detect Snowshoe - - PowerPoint PPT Presentation

Mar 27, 2023 101 likes •828 views

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn November 13, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

slide-1
SLIDE 1

Melting the Snow

Using Active DNS Measurements to Detect Snowshoe Spam Domains

Olivier van der Toorn November 13, 2018

University of Twente, Design and Analysis of Communication Systems

slide-2
SLIDE 2

Introduction

Olivier

1

@lordievader:corellian.student.utwente.nl

  • .i.vandertoorn@utwente.nl

https://www.tide-project.nl/

slide-3
SLIDE 3

2

Introduction

Olivier

slide-4
SLIDE 4

2

Introduction

Olivier

slide-5
SLIDE 5

3

Introduction

Olivier

We hypothesize that the use of active DNS measurements is a good way to detect snowshoe spam domains.

slide-6
SLIDE 6

Overview

4

slide-7
SLIDE 7

Black box

5

Overview

slide-8
SLIDE 8

Box of domains Black box

6

Overview

slide-9
SLIDE 9

Box of domains Notepad Black box

6

Overview

slide-10
SLIDE 10

A Closer Look

7

slide-11
SLIDE 11

Box of domains Notepad Black box

8

A Closer Look

slide-12
SLIDE 12

Box of domains Notepad Black box

8

A Closer Look

slide-13
SLIDE 13

Notepad Black box OpenINTEL

8

A Closer Look

slide-14
SLIDE 14

OpenINTEL

9

slide-15
SLIDE 15

10

OpenINTEL

slide-16
SLIDE 16

long The tail of the DNS

11

OpenINTEL

slide-17
SLIDE 17

long

The tail of the DNS

11

OpenINTEL

slide-18
SLIDE 18

long

97% 98% 99% 99.9%

The tail of the DNS

11

OpenINTEL

slide-19
SLIDE 19

A dataset A labeled dataset OpenINTEL

12

OpenINTEL

slide-20
SLIDE 20

10 20 30 40 50 40% 60% 80% 100%

11.2 16.6

Number of A records CDF positives negatives

20 40 60 80 100 90% 92% 94% 96% 98% 100%

77.0

Number of MX records CDF positives negatives

13

OpenINTEL

slide-21
SLIDE 21

Notepad Black box OpenINTEL

14

A Closer Look

slide-22
SLIDE 22

Notepad Machine Learning OpenINTEL

14

A Closer Look

slide-23
SLIDE 23

Machine Learning

15

slide-24
SLIDE 24

16

Machine Learning

slide-25
SLIDE 25

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-26
SLIDE 26

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-27
SLIDE 27

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-28
SLIDE 28

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-29
SLIDE 29

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-30
SLIDE 30

Precision = True Positives True Positives + False Positives

18

Machine Learning

slide-31
SLIDE 31

Spam Ham Type TP FN FP TN Precision SVC 13449 1081 2339 8512 85.18% GaussianNB 13330 1200 2075 8776 86.53% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% AdaBoostClassifier 5971 8559 164 10687 97.32% KNeighborsClassifier 4562 9968 676 10175 87.09% SGDClassifier 3599 10931 674 10177 84.22%

19

Machine Learning

slide-32
SLIDE 32

Spam Ham Type TP FN FP TN Precision AdaBoostClassifier Improved 6688 7842 110 10741 98.38% AdaBoostClassifier 5971 8559 164 10687 97.32% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% KNeighborsClassifier 4562 9968 676 10175 87.09% GaussianNB 13330 1200 2075 8776 86.53% SVC 13449 1081 2339 8512 85.18% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% SGDClassifier 3599 10931 674 10177 84.22% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83%

20

Machine Learning

slide-33
SLIDE 33

Spam Ham Type TP FN FP TN Precision AdaBoostClassifier Improved 6688 7842 110 10741 98.38% AdaBoostClassifier 5971 8559 164 10687 97.32% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% KNeighborsClassifier 4562 9968 676 10175 87.09% GaussianNB 13330 1200 2075 8776 86.53% SVC 13449 1081 2339 8512 85.18% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% SGDClassifier 3599 10931 674 10177 84.22% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83%

20

Machine Learning

slide-34
SLIDE 34

Spam Ham Type TP FN FP TN Precision AdaBoostClassifier Improved 6688 7842 110 10741 98.38% AdaBoostClassifier 5971 8559 164 10687 97.32% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% KNeighborsClassifier 4562 9968 676 10175 87.09% GaussianNB 13330 1200 2075 8776 86.53% SVC 13449 1081 2339 8512 85.18% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% SGDClassifier 3599 10931 674 10177 84.22% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83%

21

Machine Learning

slide-35
SLIDE 35

Notepad Machine Learning OpenINTEL

22

A Closer Look

slide-36
SLIDE 36

Realtime Blackhole List (RBL) Machine Learning OpenINTEL

22

A Closer Look

slide-37
SLIDE 37

Realtime Blackhole List (RBL)

23

slide-38
SLIDE 38

24

Realtime Blackhole List (RBL) 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-39
SLIDE 39

24

Realtime Blackhole List (RBL) 28984 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-40
SLIDE 40

24

Realtime Blackhole List (RBL) 28984 1961 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-41
SLIDE 41

24

Realtime Blackhole List (RBL) 28984 1961 1144 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-42
SLIDE 42

24

Realtime Blackhole List (RBL) 28984 1961 1144 1095 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-43
SLIDE 43

24

Realtime Blackhole List (RBL) 28984 1961 1144 1095 968 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-44
SLIDE 44

24

Realtime Blackhole List (RBL) 28984 1961 1144 1095 968 928 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-45
SLIDE 45

24

Realtime Blackhole List (RBL)

slide-46
SLIDE 46

Realtime Blackhole List (RBL) Machine Learning OpenINTEL

25

A Closer Look

slide-47
SLIDE 47

Realtime Blackhole List (RBL) SURFmailfilter Machine Learning OpenINTEL

25

A Closer Look

slide-48
SLIDE 48

SURFmailfilter

26

slide-49
SLIDE 49

27

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

slide-50
SLIDE 50

28

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

slide-51
SLIDE 51

29

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-52
SLIDE 52
  • 1188 emails
  • 20 domains unique domains in the body

30

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-53
SLIDE 53
  • 1188 emails
  • 20 domains unique domains in the body

30

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-54
SLIDE 54
  • 448 emails
  • 29 unique domains in the body

31

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-55
SLIDE 55
  • 448 emails
  • 29 unique domains in the body

31

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-56
SLIDE 56
  • 1006 emails
  • 64 unique domains in the body

32

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-57
SLIDE 57
  • 1006 emails
  • 64 unique domains in the body

32

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-58
SLIDE 58
  • 1080 emails
  • 447 (41.39%) emails have a score of five or higher

33

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-59
SLIDE 59
  • 1080 emails
  • 447 (41.39%) emails have a score of five or higher

33

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-60
SLIDE 60
  • 633 (58.61%) emails have a score below five
  • 52 unique domains in the body
  • of which 13 domains never appear in an email classified as spam
  • these 13 domains appear in 31 emails (2.87%)

34

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-61
SLIDE 61

35

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

slide-62
SLIDE 62

35

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335

slide-63
SLIDE 63

35

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335 352 441 497 554

slide-64
SLIDE 64

35

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335 352 441 497 554 626 629

slide-65
SLIDE 65

35

SURFmailfilter

slide-66
SLIDE 66

Conclusions

36

slide-67
SLIDE 67

37

Conclusions What is the advantage of proactive snowshoe spam domain detection using DNS data?

slide-68
SLIDE 68

38

Conclusions

slide-69
SLIDE 69

39

Conclusions

  • .i.vandertoorn@utwente.nl
slide-70
SLIDE 70

40

slide-71
SLIDE 71

41

?