name detection system
play

Name Detection System By Auke Zwaan DNS DNS DNS Give me google. - PowerPoint PPT Presentation

Oct 10, 2023 •5 likes •455 views

Malicious Domain Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94 Research Question Is it possible to detect ma malic iciou ious do domain

  1. Malicious Domain Name Detection System By Auke Zwaan

  2. DNS

  3. DNS

  4. DNS Give me google. gle.nl nl

  5. DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94

  7. Research Question Is it possible to detect ma malic iciou ious do domain ins by analyzing interrelations between DN DNS reso esolver ers and blackli acklist sted ed do doma main ins?

  8. One giant DNS dataset  All DNS requests done to ns1.dns.nl on January 6, 2016  170M+ DNS Queries (+-7GB)

  9. DNS Data

  10. DNS Data

  11. DNS Data

  12. DNS Data

  13. DNS Data

  14. DNS Data

  15. DNS Data

  16. DNS Data

  17. DNS Data

  18. Nice, but what is a ‘ ma malicious icious domain main name me ’?

  19. Initial blacklist  joewein.de LLC: 424 domains  SIDN Labs Sinkhole: 15 domains  Internet Storm Center (SANS): 14 domains  MalwareDomainList.com: 6 domains Total 459 domains

  20. Poten enti tial ally DNS da DN data ta Mal alici icious ous X Blac Bl ackli klist st = Do Domain ins

  21. Processing the data Sour urce ce Target rget Time mestam stamp 192.168.0.105 google.nl 1452091187 192.168.0.106 uva.nl 1452091187 192.168.0.232 nu.nl 1452091187 145.100.104.208 os3.nl 1452091187 192.168.0.108 bdcrqgonzmwuehky.nl 1452091187 145.100.104.208 hzmksreiuojy.nl 1452091187 145.100.104.208 xjpakmdcfuqe.nl 1452091187

  22. Processing the data Sou ource ce Target rget 192.168.0.105 google.nl 192.168.0.106 uva.nl 192.168.0.232 nu.nl 145.100.104.208 os3.nl 192.168.0.108 bdcrqgonzmwuehky.nl 145.100.104.208 hzmksreiuojy.nl 145.100.104.208 xjpakmdcfuqe.nl

  23. Processing the data Sou ource ce Target rget 192.168.0.105 google.nl 192.168.0.106 uva.nl 192.168.0.232 nu.nl 145.100.104.208 os3.nl 192.168.0.108 bdcrqgonzmwuehky.nl 145.100.104.208 hzmksreiuojy.nl 145.100.104.208 xjpakmdcfuqe.nl

  24. Grouping queries, suspicious resolvers only Sou ource ce Target rget 145.100.104.208 os3.nl hzmksreiuojy.nl xjpakmdcfuqe.nl aanrechtblad-kopen.nl 192.168.0.108 bdcrqgonzmwuehky.nl replicarolex.nl google.nl

  25. Flagging malicious domains Sou ource ce Target rget Ma Malicious licious 145.100.104.208 os3.nl Unknown hzmksreiuojy.nl Yes xjpakmdcfuqe.nl Yes aanrechtblad-kopen.nl Unknown 192.168.0.108 bdcrqgonzmwuehky.nl Yes replicarolex.nl Unknown google.nl Unknown

  26. Processing the data Sou ource ce Ma Malicious licious Un Unkno known wn 145.100.104.208 2 2 192.168.0.108 1 2 192.168.0.106 1 6 192.168.0.105 1 5

  27. Defining the mal alic iciousness iousness ra ratio io 𝑁𝑏𝑚𝑗𝑑𝑗𝑝𝑣𝑡𝑜𝑓𝑡𝑡 𝑆𝑏𝑢𝑗𝑝 = 𝑂𝑣𝑛𝑐𝑓𝑠 𝑝𝑔 𝑟𝑣𝑓𝑠𝑗𝑓𝑡 𝑢𝑝 𝒏𝒃𝒎𝒋𝒅𝒋𝒑𝒗𝒕 𝒆𝒑𝒏𝒃𝒋𝒐𝒕 𝑂𝑣𝑛𝑐𝑓𝑠 𝑝𝑔 𝑟𝑣𝑓𝑠𝑗𝑓𝑡 𝑢𝑝 𝒗𝒐𝒍𝒐𝒑𝒙𝒐 𝒆𝒑𝒏𝒃𝒋𝒐𝒕

  28. Processing the data Sou ource ce Ma Malicious licious Un Unkno known wn Ratio tio 145.100.104.208 2 2 1.0 1.0 192.168.0.108 1 2 0.5 192.168.0.106 1 6 0.167 67 192.168.0.105 1 4 0.25 25 192.168.0.232 4 300 0.013

  29. Assumption 1 A ma malicious icious res esolv lver er is a resolver for which the maliciousness ratio ≥ 0.25

  30. Processing the data Sou ource ce Ma Malicious licious Un Unkno known wn Ratio tio 145.100.104.208 2 2 1.0 1.0 192.168.0.108 1 2 0.5 192.168.0.106 1 6 0.167 67 192.168.0.105 1 4 0.25 25 192.168.0.232 4 300 0.013

  31. Finding malicious domains  Get all the domains requested by malic icious ious res esolv lver ers  Filter out the domains from the initial blacklist

  32. Assumption 2 The 100 most popular .nl domain names are not ma malicious icious

  33. Results  40,469 469 queries to malicious domains  8,132 suspicious resolvers, doing 85M+ M+ queries  673 673 malicious resolvers (maliciousness ratio ≥ 0.25)  413 potentially malicious domains  392 392 potentially malicious domains (minus top 100)

  34. Assumption 3 If a website has at t lea east st one hit in VirusTotal in the past, it is considered malicious

  35. Example www.ikhouvanirakezen.nl Detected by VirusTotal thus tr true positiv itive

  36. Example 2 No hits on VirusTotal  Manual Google Search:  Hits: Classification “Yes”  No hits: Classification “No”  Hosting provider: Classification “ Possibly ”  Search not feasible: Classifcation “ Unknown ”

  37. Ma Mali liciou cious Numb mber er of doma mains ins Yes 125 No 153 Possibly 111 Unknown 3 Total tal 392 92

  38. Evaluation: 32 test rounds Poten enti tial ally DN DNS da data ta Mal alici icious ous X Blac Bl ackli klist st = Do Domain ins

  39. Trying to find domains from a test set Training ining DN DNS da data ta X set t (9 (90% 0%) Blacklist acklist Poten enti tial ally Tes est t set t Mal alici icious ous (1 (10% 0%) Do Doma main ins

  40. Trying to find domains from a test set Training ining DN DNS da data ta X set t (9 (90% 0%) Blacklist acklist Poten enti tial ally Tes est t set t Mal alici icious ous (1 (10% 0%) Do Doma main ins

  41. Evaluation: 32 test rounds Min Max Mean Std # # Pot otent ntia ially maliciou cious domai ains ns 114 400 400 349.875 75 68.295 # # From test t set et found und 0 5 2.594 94 1. 1.316

  42. Conclusion  It is possible to find malicious domains by looking at spatial co-occurrence of DNS queries  31.8% true positives, so not suitable for blacklisting  Instead, use as factor for further analysis

  43. Future work  Add a content analysis for each potentially malicious domain (i.e. crawling), and apply NLP  Compare lists between different dates (datasets) and analyze commonly found domains  Look at whois info for potentially malicious domains and use it for finding malicious registrars

  44. Future work  Extend blacklists (or run the algorithm recursively)  Use the maliciousness ratio to identify most ‘ dangerous ’ resolvers  111x ‘ Possibly ’: strip out hosting providers?

  45. Thanks for your attention! Qu Questions estions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fever Detection System Ver 1.3 1. Necessities of Fever detection system for COVID-19 Reduce

Fever Detection System Ver 1.3 1. Necessities of Fever detection system for COVID-19 Reduce

Optimal fever detection system to to prevent the spread of of viruses(COVID-19, MERS, SARS etc.) FDS-100 Fever Detection System Ver 1.3 1. Necessities of Fever detection system for COVID-19 Reduce measurement time Efficiency Reduce

464 views • 11 slides
plagiarism detection system Andrzej Sobecki, Marcin Kpa IKC 2017 Plagiarism detection problem

plagiarism detection system Andrzej Sobecki, Marcin Kpa IKC 2017 Plagiarism detection problem

Improving performance of a plagiarism detection system Andrzej Sobecki, Marcin Kpa IKC 2017 Plagiarism detection problem Text documents unstructured form Finding a potential source documents based on the suspected document

531 views • 13 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
MODES_SNM Modular Detection System for Special Nuclear Material 284842 FP7-SEC-2011-1 G.

MODES_SNM Modular Detection System for Special Nuclear Material 284842 FP7-SEC-2011-1 G.

MODES_SNM Modular Detection System for Special Nuclear Material 284842 FP7-SEC-2011-1 G. Viesti Dipartimento di Fisica ed Astronomia Universit di Padova 5th meeting of the C2013 Customs Detection Technology expert group Mestre/Venice

173 views • 16 slides
Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers

Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers

Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers Andrew H. Leavitt Conco Systems, Inc. Tracer Gas Leak Detection Focusing On: Air inleakage Impact on system Limitations of air removal

691 views • 31 slides
Fraud Detection & Prevention System For Participant Integrity (FDPS) FY2016 WIC Special

Fraud Detection & Prevention System For Participant Integrity (FDPS) FY2016 WIC Special

Fraud Detection & Prevention System For Participant Integrity (FDPS) FY2016 WIC Special Project Grant Presentation to: Nutrition Services Directors Meeting Presented by: Chavis Paulk, MPA Date: December 13, 2016 Fraud Detection and

1.27k views • 23 slides
Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego Perez-Palacin, Youssef Ridene, Jos Merseguer University of Zaragoza, Netfective Technology Diego Perez-Palacin Big Blu eGov Tax Fraud Detection System

907 views • 41 slides
Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
SAQL : A Stream-based Query System for Real-Time SA Abnormal System Behavior Detection Peng Gao 1

SAQL : A Stream-based Query System for Real-Time SA Abnormal System Behavior Detection Peng Gao 1

SAQL : A Stream-based Query System for Real-Time SA Abnormal System Behavior Detection Peng Gao 1 , Xusheng Xiao 2 , Ding Li 3 , Zhichun Li 3 , Kangkook Jee 3 , Zhenyu Wu 3 , Chung Hwan Kim 3 , Sanjeev R. Kulkarni 1 , Prateek Mittal 1 1 Princeton

453 views • 24 slides
Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical development Leak detection system requirements Causes of leaks Leak detection options Non-continuous leak detection Continuous external leak detection

806 views • 49 slides
FIBER-OPTIC SYSTEM FOR M ONITORING EXTENDED OBJ ECTS FOSM Applications: - Detection of

FIBER-OPTIC SYSTEM FOR M ONITORING EXTENDED OBJ ECTS FOSM Applications: - Detection of

FIBER-OPTIC SYSTEM FOR M ONITORING EXTENDED OBJ ECTS FOSM Applications: - Detection of vibrations caused by object condition and/or third party interference; - Detection of temperature anomaly and/or measurement of extended object

305 views • 26 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
The Light Detection System of protoDune DP Thorsten Lux On behalf of CIEMAT and IFAE Outline

The Light Detection System of protoDune DP Thorsten Lux On behalf of CIEMAT and IFAE Outline

The Light Detection System of protoDune DP Thorsten Lux On behalf of CIEMAT and IFAE Outline Motivation Baseline design Components of the light readout system: PMTs Bases Support structure Wavelength shifter High

765 views • 37 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

203 views • 18 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Measuring the Impact of Sharing Abuse Data with Web Hosting Providers Marie Vasek , Matthew

Measuring the Impact of Sharing Abuse Data with Web Hosting Providers Marie Vasek , Matthew

Measuring the Impact of Sharing Abuse Data with Web Hosting Providers Marie Vasek , Matthew Weeden, and Tyler Moore University of Tulsa WISCS 24 October 2016 1 of 27 StopBadware Founded in 2006 by Harvards Berkman Klein Center for

397 views • 27 slides
WEL WELCOME COME! 2019 9 2020 2020 Sch chool l Yea ear WHAT IS THE PTSA & WHAT DO

WEL WELCOME COME! 2019 9 2020 2020 Sch chool l Yea ear WHAT IS THE PTSA & WHAT DO

WEL WELCOME COME! 2019 9 2020 2020 Sch chool l Yea ear WHAT IS THE PTSA & WHAT DO WE DO The PTSA is a non-profit, volunteer organization of parents, teachers and students. The PTSA main role is to build strong working

402 views • 7 slides
Hi! Im Fiona. Things that I do: Teach Vectorworks and SketchUp Tutor at London College

Hi! Im Fiona. Things that I do: Teach Vectorworks and SketchUp Tutor at London College

Hi! Im Fiona. Things that I do: Teach Vectorworks and SketchUp Tutor at London College of Garden Design Freelance for other designers Project management Draw great plans and details Create dreamy visuals

460 views • 29 slides
Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A.

Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A.

Background A Poll Results Overview A Peek Into Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A. Gonczarowski The Hebrew University of Jerusalem Microsoft Research July 29, 2014 Proc. of the 15 th ACM

1.42k views • 129 slides
Facial Recognition Soren Frederiksen VP of Innovation Lab 2019 Ensuring safer tomorrows 1

Facial Recognition Soren Frederiksen VP of Innovation Lab 2019 Ensuring safer tomorrows 1

Facial Recognition Soren Frederiksen VP of Innovation Lab 2019 Ensuring safer tomorrows 1 Who am I Soren Frederiksen VP of Innovation Lab Electrical Engineer from Denmark 30 year developing software Neural Networks

316 views • 21 slides
CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin Latovika, Martin Hork and Tom Plesnk Introduction Malicious Domains Attackers may register their own domains May host phishing

427 views • 19 slides
Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor entrance & exit. Real-time indoor & outdoor tracking of visitors. SMS, screen pop up & email alerts. Alerts if a visitor strays from

382 views • 12 slides

More recommend