SLIDE 1
Malicious Domain Name Detection System
By Auke Zwaan
Name Detection System By Auke Zwaan DNS DNS DNS Give me google. - - PowerPoint PPT Presentation
Name Detection System By Auke Zwaan DNS DNS DNS Give me google. - - PowerPoint PPT Presentation
Malicious Domain Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94 Research Question Is it possible to detect ma malic iciou ious do domain
SLIDE 2
SLIDE 3
DNS
SLIDE 4
DNS
Give me google. gle.nl nl
SLIDE 5
DNS
Give me google. gle.nl nl
- Okay. 64.233.
4.233.166.9 66.94
SLIDE 6
SLIDE 7
Research Question
Is it possible to detect ma malic iciou ious do domain ins by analyzing interrelations between DN DNS reso esolver ers and blackli acklist sted ed do doma main ins?
SLIDE 8
One giant DNS dataset
- All DNS requests done to ns1.dns.nl
- n January 6, 2016
- 170M+ DNS Queries (+-7GB)
SLIDE 9
DNS Data
SLIDE 10
DNS Data
SLIDE 11
DNS Data
SLIDE 12
DNS Data
SLIDE 13
DNS Data
SLIDE 14
DNS Data
SLIDE 15
DNS Data
SLIDE 16
DNS Data
SLIDE 17
DNS Data
SLIDE 18
Nice, but what is a βma malicious icious domain main name meβ?
SLIDE 19
Initial blacklist
- joewein.de LLC:
424 domains
- SIDN Labs Sinkhole:
15 domains
- Internet Storm Center (SANS):
14 domains
- MalwareDomainList.com:
6 domains Total 459 domains
SLIDE 20
DN DNS da data ta X Bl Blac ackli klist st = Poten enti tial ally Mal alici icious
- us
Do Domain ins
SLIDE 21
Processing the data
Sour urce ce Target rget Time mestam stamp
192.168.0.105 google.nl 1452091187 192.168.0.106 uva.nl 1452091187 192.168.0.232 nu.nl 1452091187 145.100.104.208
- s3.nl
1452091187 192.168.0.108 bdcrqgonzmwuehky.nl 1452091187 145.100.104.208 hzmksreiuojy.nl 1452091187 145.100.104.208 xjpakmdcfuqe.nl 1452091187
SLIDE 22
Processing the data
Sou
- urce
ce Target rget
192.168.0.105 google.nl 192.168.0.106 uva.nl 192.168.0.232 nu.nl 145.100.104.208
- s3.nl
192.168.0.108 bdcrqgonzmwuehky.nl 145.100.104.208 hzmksreiuojy.nl 145.100.104.208 xjpakmdcfuqe.nl
SLIDE 23
Processing the data
Sou
- urce
ce Target rget
192.168.0.105 google.nl 192.168.0.106 uva.nl 192.168.0.232 nu.nl 145.100.104.208
- s3.nl
192.168.0.108 bdcrqgonzmwuehky.nl 145.100.104.208 hzmksreiuojy.nl 145.100.104.208 xjpakmdcfuqe.nl
SLIDE 24
Grouping queries, suspicious resolvers only
Sou
- urce
ce Target rget
145.100.104.208
- s3.nl
hzmksreiuojy.nl xjpakmdcfuqe.nl aanrechtblad-kopen.nl 192.168.0.108 bdcrqgonzmwuehky.nl replicarolex.nl google.nl
SLIDE 25
Flagging malicious domains
Sou
- urce
ce Target rget Ma Malicious licious
145.100.104.208
- s3.nl
Unknown hzmksreiuojy.nl Yes xjpakmdcfuqe.nl Yes aanrechtblad-kopen.nl Unknown 192.168.0.108 bdcrqgonzmwuehky.nl Yes replicarolex.nl Unknown google.nl Unknown
SLIDE 26
Processing the data
Sou
- urce
ce Ma Malicious licious Un Unkno known wn
145.100.104.208 2 2 192.168.0.108 1 2 192.168.0.106 1 6 192.168.0.105 1 5
SLIDE 27
Defining the mal alic iciousness iousness ra ratio io
ππππππππ£π‘πππ‘π‘ πππ’ππ = ππ£ππππ ππ ππ£ππ πππ‘ π’π πππππ ππππ πππππππ ππ£ππππ ππ ππ£ππ πππ‘ π’π πππππππ πππππππ
SLIDE 28
Processing the data
Sou
- urce
ce Ma Malicious licious Un Unkno known wn Ratio tio
145.100.104.208 2 2 1.0 1.0 192.168.0.108 1 2 0.5 192.168.0.106 1 6 0.167 67 192.168.0.105 1 4 0.25 25 192.168.0.232 4 300 0.013
SLIDE 29
Assumption 1
A ma malicious icious res esolv lver er is a resolver for which the maliciousness ratio β₯ 0.25
SLIDE 30
Processing the data
Sou
- urce
ce Ma Malicious licious Un Unkno known wn Ratio tio
145.100.104.208 2 2 1.0 1.0 192.168.0.108 1 2 0.5 192.168.0.106 1 6 0.167 67 192.168.0.105 1 4 0.25 25 192.168.0.232 4 300 0.013
SLIDE 31
Finding malicious domains
- Get all the domains requested by malic
icious ious res esolv lver ers
- Filter out the domains from the initial blacklist
SLIDE 32
Assumption 2
The 100 most popular .nl domain names are not ma malicious icious
SLIDE 33
Results
- 40,469
469 queries to malicious domains
- 8,132 suspicious resolvers, doing 85M+
M+ queries
- 673
673 malicious resolvers (maliciousness ratio β₯ 0.25)
- 413 potentially malicious domains
- 392
392 potentially malicious domains (minus top 100)
SLIDE 34
Assumption 3
If a website has at t lea east st one hit in VirusTotal in the past, it is considered malicious
SLIDE 35
Example
www.ikhouvanirakezen.nl
Detected by VirusTotal thus tr true positiv itive
SLIDE 36
Example 2
No hits on VirusTotal
- Manual Google Search:
- Hits:
Classification βYesβ
- No hits:
Classification βNoβ
- Hosting provider:
Classification βPossiblyβ
- Search not feasible:
Classifcation βUnknownβ
SLIDE 37
Ma Mali liciou cious Numb mber er of doma mains ins Yes 125 No 153 Possibly 111 Unknown 3 Total tal 392 92
SLIDE 38
Evaluation: 32 test rounds
DN DNS da data ta X Bl Blac ackli klist st = Poten enti tial ally Mal alici icious
- us
Do Domain ins
SLIDE 39
Blacklist acklist Training ining set t (9 (90% 0%) Tes est t set t (1 (10% 0%)
DN DNS da data ta X Poten enti tial ally Mal alici icious
- us
Do Doma main ins
Trying to find domains from a test set
SLIDE 40
Blacklist acklist Training ining set t (9 (90% 0%) Tes est t set t (1 (10% 0%)
DN DNS da data ta X Poten enti tial ally Mal alici icious
- us
Do Doma main ins
Trying to find domains from a test set
SLIDE 41
Evaluation: 32 test rounds
Min Max Mean Std # # Pot
- tent
ntia ially maliciou cious domai ains ns 114 400 400 349.875 75 68.295 # # From test t set et found und 5 2.594 94 1. 1.316
SLIDE 42
Conclusion
- It is possible to find malicious domains by looking at
spatial co-occurrence of DNS queries
- 31.8% true positives, so not suitable for blacklisting
- Instead, use as factor for further analysis
SLIDE 43
Future work
- Add a content analysis for each potentially malicious domain
(i.e. crawling), and apply NLP
- Compare lists between different dates (datasets) and analyze
commonly found domains
- Look at whois info for potentially malicious domains and use it
for finding malicious registrars
SLIDE 44
Future work
- Extend blacklists (or run the algorithm recursively)
- Use the maliciousness ratio to identify most βdangerousβ
resolvers
- 111x βPossiblyβ: strip out hosting providers?
SLIDE 45