new dns traffic analysis techniques to identify global
play

New DNS Traffic Analysis Techniques to Identify Global Internet - PowerPoint PPT Presentation

Sep 14, 2023 •311 likes •1.04k views

New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas Mathew January 12 th , 2016 1 Dhia Mahjoub Technical Leader at OpenDNS PhD Graph Theory Applied on Sensor Networks Focus: Security, Graphs &

  1. New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas Mathew January 12 th , 2016 1

  2. Dhia Mahjoub Technical Leader at OpenDNS PhD Graph Theory Applied on Sensor Networks Focus: Security, Graphs & Data Analysis 2

  3. Thomas Mathew Security Researcher at OpenDNS Background: Machine Learning Focus: Time Series and Data Analysis 3

  4. Agenda OpenDNS Global Network & Types of DNS Traffic Threat Landscape DNS Traffic Analysis Techniques Results ¡and ¡Recorded ¡Suspicious ¡Hos2ng ¡Pa5erns ¡ Graph Analytics Conclusion 4

  5. OpenDNS’ Network Map https://www.opendns.com/data-center-locations/ 5

  6. Where is OpenDNS in the network? 6

  7. Threat Landscape 7

  8. 8

  9. Some Security Graph Metrics § 70+ Billion DNS queries per day § Sample Authlogs: ~46M nodes per day ~174M edges per day 9

  10. DNS Traffic Analysis Techniques 10

  11. DNS Data – Authoritative Data § Authoritative Data captures changes in DNS mappings: § Can reconstruct all the domains mapping to an IP for a given time window and vice-versa § Reconstruct data regarding name servers 11

  12. DNS Data – Authoritative Data § Authoritative Data helpful in catching ‘noisy’ domains – Fast flux, domains with bad IP, prefix reputation § Noisy domains change mappings frequently e.g. Fast Flux 12

  13. Domain Reputation § We have noticed relying on domain reputation breaks on identifying certain groups of threat - Nxdomains, client behavior related domains § Devised for an internet of 10 years ago § Malicious domains move quickly from IP to IP § Compromised domains § Price of domain and subdomain have gotten cheaper 13

  14. Signals § Hypothesis: DNS query patterns are a signal that is harder to control § Refined Hypothesis: DNS query patterns can be used to help identify Exploit kit domains 14

  15. Signals (cont’d) § Inherent vs. acquired/assigned features § Lexical, DGA setup, hosting, registration can be changed § Traffic patterns that emerge globally from clients querying malware domains are harder to obfuscate, change § Defeat malware domains by tracking their features for which evasion at global scale is not easy 15

  16. Traffic Patterns § Create system to detect abrupt changes in query patterns § Query pattern data is below the recursive layer § Data includes: Timestamp, Client IP, Domain queried, Resolver queried, Qtype, etc. 16

  17. Detection System Components Exploit kits Qtype Filter Fake software Browlock Phishing Spike Domain DGA Detection History Spam Filter Domain Mailservers Records Forums Filter Other More Exploit kits Expand nd t the he Int Intelli lligenc nce Gr Graph h by pivoting around Fake software IP, prefix, ASN, hoster, Browlock registrant email to catch Phishing more malware domains etc 17

  18. Spike Detection § Signal we look for is a spike § Spike defined as a jump in traffic over a two hour window – Use predetermined threshold. Helps filter out google, facebook, etc § Use a MapReduce job to calculate domains that spike – Output 50-100k domains each hour § 50-100k domains is too much for manual inspection § Domains that spike can have past history § Mail servers, blogs, victimized domains, etc 18

  19. Signals (cont’d) 19

  20. Qtype Filter § The amount of noise indicates we need more features § Look at past history, DNS Qtypes, all existing DNS records of a domain, unique IPs, unique resolvers, etc. § Partition based on Qtypes: – 1 – A Record – 15 – MX Record – 16 – TXT Record – 99 – SPF Record – 255 – ANY Record 20

  21. Qtype Partition Results § Partition spikes based on their qtype distribution – i.e. A record only, A record and MX record, etc 5 ∑ nC 5 n = 1 § Interesting patterns begin to emerge – Only see 18 out of the 40 possible combinations – 75% or greater are A records only – Many combinations never appear ie only qtype 99 – Behavior of domains can be associated with partition 21

  22. Qtype Partition Results § Qtype of (1,15) associated with legitimate mail servers – Two types of distributions – 50/50 or 99/1 split between qtypes – ~4% § Periodicity emergent in benign domains 22

  23. Qtype Partition Results § Qtype of (1,15,16,99,255) associated with legitimate mail and spam – Spam usually correlated with extremely high jumps – ~ 2.0% of all domains – demdeetz.xyz 23

  24. Domain History Filter § Past query history can be used to help remove benign domains and zero in on EMD ones § Eliminate all domains with more than X consecutive non- zero hours of traffic § Based on current EK domains’ traffic patterns, only keep domains that feature Y consecutive most recent non-zero hours of traffic 24

  25. Domain History Filter – benign with history 25

  26. Domain History Filter – Nuclear EK 26

  27. Domain Records Filter § Check for all DNS records available for a domain § The existence/non-existence of certain records helps narrow down the purpose of a domain. § Partition based on DNS records: – A – MX – TXT – CNAME – NS, specific name servers, indicative of compromise or malware 27

  28. Random Forest § Use random forest for classification – Example of ensemble learning using boosting. Boosting refers to process reducing bias from a set of weak estimators – Scalable via parallelization § Use random forest on simple 2 class problem: – Exploit Kit/Non-Exploit Kit – In reality problem is multiclass: Spam, Exploit Kit, etc – For simplicity focus on binary problem 28

  29. Random Forest (cont’d) § Input: – Spike data – Time series data § Output: – Classified domains § Use Sklearn random forest library § Challenges related to selecting features and tuning random forest parameters 29

  30. Random Forest (cont’d) § Features contain a mixture of continuous, discrete, and categorical variables. – Challenge for most estimators. Random forest handles this problem better than most estimators § Continuous: Ratio of query counts to unique IPs § Discrete: Query counts § Categorical: QType Distribution § Features include: – Number of unique IPs – Distribution of QTypes – Distribution of RCodes 30

  31. Random Forest (cont’d) § Have to tune various hyperparameters: – Number of features to decide split – Number of trees to create – Gini vs Entropy § Gini measure used for deciding when to create splits – We chose Gini because it generalizes better to continuous data. Majority of our data is continuous § Building deeper trees = longer training time § We decided to use sqrt(number of features) to determine the max number of features used to generate split 31

  32. Random Forest (cont’d) § Created a training set of 1k exploit kits and 2k non-exploit kits. § Ran through with a 10 fold cross validation § Successful in minimizing false positives: – One challenge was handling Chinese gambling sites which have close to identical behavior to exploit kit domains. – Difference is only apparent after examining lexical structure of domain name § AOC = .93 – Significantly better than random 32

  33. Results 33

  34. Detected Threats § Exploit kits: Angler Nuclear, Neutrino § DGA § Fake software, Chrome extensions § Browlock § Phishing 34

  35. Detected Threats – Recorded Hosting Patterns § Compromised domains – Domain shadowing § Domain shadowing with multiple IP resolutions § Register offshore and diversify IP space § Large abused hosting providers (Hetzner, Leaseweb, Digital Ocean) § Shady hosters within larger hosting providers (Vultr) 35

  36. Compromised domains – Domain shadowing § Compromised domains – Domain shadowing serving Angler, RIG, malvertising § Spike domain can have GoDaddy name servers and still be a non EK, e.g. Chinese lottery, casino sites, spam § Difference is: EK domains have traffic from multiple IPs spread across several resolvers § Traffic to spam, casino sites comes from a single IP 36

  37. Angler versus Spam § Exploit kit: you.b4ubucketit.com. 0.0 45 45.0 40 11 {((ams),13),((cdg),1),((fra),3),((otp),1),((mia),6),((lon),6),((nyc),1),((sin), 3),((pao),1),((wrw),3),((hkg),7)} {((1),45)} § Spam: www.tzd.tcai006.net. 0.0 26 26.0 1 1 {((lon), 26)} {((1),26)} § 46.30.43.20, AS35415, Webzilla, https://eurobyte.ru/ 37

  38. 38

  39. 39

  40. Domain shadowing on multiple hosting IPs § odksooj.mit.academy. 3600 IN A 217.172.190.160 odksooj.mit.academy. 3600 IN A 85.25.102.30 § 217.172.190.160, AS8972, PLUSSERVER-AS, https://vps-server.ru/ § 85.25.102.30, AS8972, PLUSSERVER-AS, https://vps-server.ru/ § The range 217.172.190.158-160 is hosting similar EK domains § 217.172.190.159 hosts vbnxkjd.governmentcontracting411.com which also resolves to 178.162.194.172 § 178.162.194.172, AS16265/AS28753, http://www.hostlife.net/ § The range 178.162.194.169-172 is also hosting similar EK domains 40

  41. 41

  42. 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
About that little buffer in Active monitoring results: Comparable amount of traffic (lots of

About that little buffer in Active monitoring results: Comparable amount of traffic (lots of

Backscatter and Global Analysis Stefan Zota Attacks Analyze tcpdump logs and get global Top attack sources abnormal traffic Unsuccessful TCP connections Gather vanilla statistics: SYN attacks TCP RST ACK backscatter Port classification

367 views • 9 slides
Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark

Communication Networks and Services Quality of Service (QoS) - Identify traffic flows - Mark traffic flows - Police and shape traffic - Apply priority (managed scheduling) 1 Open-Loop Control / QoS Model Network performance is guaranteed to

408 views • 24 slides
Foxfield Traffic Committee IDENTIFY TRAFFIC CHALLENGES AND FORMULATE SOLUTIONS BASED ON EXTENSIVE

Foxfield Traffic Committee IDENTIFY TRAFFIC CHALLENGES AND FORMULATE SOLUTIONS BASED ON EXTENSIVE

Foxfield Traffic Committee IDENTIFY TRAFFIC CHALLENGES AND FORMULATE SOLUTIONS BASED ON EXTENSIVE RESEARCH AND FEEDBACK FROM RESIDENTS PRESENT RECOMMENDATION TO FOXFIELD BOARD OF TRUSTEES COMMUNITY PRESENTATION ON AUGUST 23, 2018 1 Foxfield

533 views • 28 slides
Interactive traffic analysis and Interactive traffic analysis and visualization with Wisconsin

Interactive traffic analysis and Interactive traffic analysis and visualization with Wisconsin

Interactive traffic analysis and Interactive traffic analysis and visualization with Wisconsin Netpy visualization with Wisconsin Netpy Cristian Estan, Garret Magin University of Wisconsin-Madison USENIX LISA, 19 December 2005 Traffic

345 views • 18 slides
GENES FOR JUSTICE? USING GENE EXPRESSION ANALYSIS TO identiFy THE MOLECULAR FOOTPRINTS OF

GENES FOR JUSTICE? USING GENE EXPRESSION ANALYSIS TO identiFy THE MOLECULAR FOOTPRINTS OF

b y P e t e r N . L a r s o n a n d E l l i n o r R . C o d e r GENES FOR JUSTICE? USING GENE EXPRESSION ANALYSIS TO identiFy THE MOLECULAR FOOTPRINTS OF ENVIRONMENTAL HaZards 8 Forensic identification techniques have a long history.

523 views • 5 slides
1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

AGENDA AGENDA 1. The role and significance of public transport and tram transport in urban areas 2. Goal and stages of the study 1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop stations at tram stops

169 views • 4 slides
Measurement Techniques Part 2: Measurement Techniques Terminology and general issues

Measurement Techniques Part 2: Measurement Techniques Terminology and general issues

Part 2 Measurement Techniques Part 2: Measurement Techniques Terminology and general issues Active performance measurement SNMP and RMON Packet monitoring Flow measurement Traffic analysis Terminology and General I

758 views • 64 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

641 views • 46 slides
Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction Youve just invented the greatest protocol does everything including tying your shoelaces. What now? Need to know how it performs. Is it

510 views • 13 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
Traffic Analysis The Most Powerful and Least Understood Attack Methods Raven Alder, Riccardo

Traffic Analysis The Most Powerful and Least Understood Attack Methods Raven Alder, Riccardo

Traffic Analysis The Most Powerful and Least Understood Attack Methods Raven Alder, Riccardo Bettati, Jon Callas, Nick Matthewson 1 What is Traffic Analysis? Signals intelligence that ignores content Information for analysis is the

355 views • 14 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

IN INTRODUCTION TO TRAFFIC ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC ANALYSIS 1. Except for user terminals, the telephone network is composed of a variety of common 45 Trunks equipment

385 views • 17 slides
D203 K-4 Elementary Summer Learning Parent Presentation K-4 Elementary Summer Learning Locations

D203 K-4 Elementary Summer Learning Parent Presentation K-4 Elementary Summer Learning Locations

D203 K-4 Elementary Summer Learning Parent Presentation K-4 Elementary Summer Learning Locations and Directors North Location: South Location: Beebe Elementary

416 views • 19 slides
Investor presentation 02.12.2020 Nasdaq (TCX) | TSX (TC) Safe Harbor Statement This

Investor presentation 02.12.2020 Nasdaq (TCX) | TSX (TC) Safe Harbor Statement This

Investor presentation 02.12.2020 Nasdaq (TCX) | TSX (TC) Safe Harbor Statement This presentation may contain forward-looking statements, relating to the Companys operations or to the environment in which it operates, which are based on

749 views • 28 slides
Johnson High School Tip #1: Consider Graduation Credit Requirements 8 semesters (16

Johnson High School Tip #1: Consider Graduation Credit Requirements 8 semesters (16

Johnson High School Tip #1: Consider Graduation Credit Requirements 8 semesters (16 Credits) English 8 semesters (16 Credits) Social Studies 6 semesters (12 Credits) Science 6 semesters (12 Credits) Mathematics 2

409 views • 21 slides
HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE P . K I N T I S , N . M I

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE P . K I N T I S , N . M I

HIDING IN PLAIN SIGHT: A LONGITUDINAL STUDY OF COMBOSQUATTING ABUSE P . K I N T I S , N . M I R A M I R K H A N I , C . L E V E R , Y . C H E N , R . R O M E R O - G M E Z , N . P I T R O P A K I S , N . N I K I F O R A K I S , M

495 views • 28 slides
Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 tzNOG 4 Workshop, Dar

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 tzNOG 4 Workshop, Dar

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 tzNOG 4 Workshop, Dar es Salaam Recap DNS is a distributed database Stub asks Resolver for information Resolver traverses the DNS delegation tree to find

799 views • 39 slides
Pre-registration name_new Hashed domain name 0.01 NMC After 12 blocks

Pre-registration name_new Hashed domain name 0.01 NMC After 12 blocks

Pre-registration name_new Hashed domain name 0.01 NMC After 12 blocks name_firstupdate Registration Add resouce records Make changes name_update Extend validation Packet interception ID guessing & query

647 views • 21 slides
Hong Kong Internet Exchange (HKIX) http://www.hkix.net/ What is HKIX? HKIX is a public

Hong Kong Internet Exchange (HKIX) http://www.hkix.net/ What is HKIX? HKIX is a public

Hong Kong Internet Exchange (HKIX) http://www.hkix.net/ What is HKIX? HKIX is a public Internet Exchange Point (IXP) in Hong Kong HKIX is the main Interconnection point in HK where ISPs in HK can interconnect with one another and

512 views • 36 slides
Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy

Connecting to Citrix MetaFrame Presentation Server through Proxy Servers Web Interface and Proxy Servers When a user logs into Web Interface and clicks an application icon, Web Interface dynamically renders an ICA file containing the instructions

490 views • 3 slides

More recommend