presentation scalable detection of botnets based on dga
play

Presentation: Scalable Detection of Botnets Based on DGA Presentation - PDF document

Mar 24, 2024 •348 likes •561 views

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/333652427 Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI: 10.13140/RG.2.2.24134.32322 CITATIONS

  1. See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/333652427 Presentation: Scalable Detection of Botnets Based on DGA Presentation · June 2019 DOI: 10.13140/RG.2.2.24134.32322 CITATIONS READS 0 26 3 authors: Mattia Zago Manuel Gil Pérez University of Murcia University of Murcia 19 PUBLICATIONS 32 CITATIONS 87 PUBLICATIONS 461 CITATIONS SEE PROFILE SEE PROFILE Gregorio Martinez Perez University of Murcia 252 PUBLICATIONS 2,224 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: AuthCODE View project Selfnet View project All content following this page was uploaded by Mattia Zago on 07 June 2019. The user has requested enhancement of the downloaded file.

  2. S CALABLE D ETECTION OF B OTNETS BASED ON DGA E FFICIENT F EATURE D ISCOVERY P ROCESS IN M ACHINE L EARNING T ECHNIQUES Speaker: Mattia Zago Authors: M. Zago, M. Gil Pérez, G. Martínez Pérez Available Online – Soft Computing – Q2 IF: 2.367 Zago, M., Gil Pérez, M. & Martínez Pérez, G. Soft Comput (2019). 10.1007/s00500-018-03703-8

  3. O UR A GENDA FOR T ODAY Background & Motivation State of The  Subject localisation  Relevance Art  Objective  Machine learning Analysis algorithms  Feature sets and families  Exploratory feature analysis Challenges  Classification results  Binary problem  Multiclass problem  Data  Best practices March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 2

  4. W HAT IS A B OTNET ? March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 3

  5. DGA: D OMAIN G ENERATION A LGORITHM March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 4

  6. DGA: D OMAIN G ENERATION A LGORITHM Objective Analyse DNS queries to detect malicious AGDs connections March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 5

  7. A PPROACHES TO THE DETECTION – ML March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 6

  8. S TATE OF T HE A RT REGARDING A LGORITHMS Identified Since Selected 2010 +30 More than researches 100 articles We have identified six comparison metrics Machine Learning approach Type of application (either supervised, non (e.g., binary or multiclass classifier, supervised) correlation, anomaly detection, 01 02 etc.) Family of features used Comparisons 06 03 (i.e., either Context-Free or with other works, approaches or Context-Aware) algorithms 05 04 Real-time analysis Achieved results (i.e., online detection, (either poor, average, good and performance scalability, etc.) excellent) March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 7

  9. A PPROACHES TO DGA DETECTION – F EATURES L ANGUAGE A NALYSIS Context-Free Usage of Natural Language Process A feature that is related only to a techniques to estimate FQDN and thus is independent of if the domain is legit or not contextual information, including, but (i.e. test the randomness) not limited to, timing, origin or any Examples other environment configuration. – Length of the string – Entropy – Frequency analysis – Vowels ratio DNS Q UERY A NALYSIS Context-Aware Decode sniffed queries and responses A feature that is dependent on the and look for “troublesome” indicators specific malware sample execution, that may suggest a regular pattern. which is realised in a precise environment with a specific config. Examples and in a particular time frame. Num. of connections – Num. of IP addresses– Num. of NXDomains – Longevity of domain – March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 8

  10. S TATE OF T HE A RT REGARDING F EATURES Used By Code Description 11 14 16 24 28 33 34 38 45 46 48 49 51 52 54 56 57 58 59 65 66 Tot. 3 5 9 NLP-L-x String length ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ 16 NLP-LDN Number of domain levels 3 ✔ ✔ ✔ NLP-R-NUM-x Ratio of numerical characters ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ 8 NLP-R-VOW-x Ratio of vowel characters 4 ✔ ✔ ✔ ✔ NLP-R-CON-x Ratio of consonants characters 4 ✔ ✔ ✔ ✔ NLP-LANG Language hypothesis 2 ✔ ✔ NLP-LC-C Longest consecutive cons. sequence 5 ✔ ✔ ✔ ✔ ✔ NLP-LC-V Longest consecutive vowel sequence ✔ 1 NLP-LC-D Longest consecutive number seq. 3 ✔ ✔ ✔ NLP-COV Covariance matrix ✔ 1 NLP-R-MC Ratio of meaningful characters 3 ✔ ✔ ✔ NLP-LMS Length of longest meaningful string 0 NLP-WLU Number of “word-like” units 1 ✔ NLP-SQS Domain squatting score 1 ✔ NLP-LED Levenshtein Edit Distance ✔ ✔ 2 NLP-nG-FR Frequency distribution (histogram) 4 ✔ ✔ ✔ ✔ NLP-nG-E Entropy 11 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ NLP-nG-COV Covariance 1 ✔ NLP-nG-MEAN Mean of frequencies 1 ✔ NLP-nG-MED Median of frequencies ✔ 1 NLP-nG-VAR Variance of frequencies 1 ✔ NLP-nG-STD Standard deviation of frequencies ✔ 1 NLP-nG-PRO Pronounceability score 3 ✔ ✔ ✔ NLP-nG-NORM Normality score 3 ✔ ✔ ✔ NLP-nG-PRT Transition probability 2 ✔ ✔ NLP-nG-PRA Probability of appearance 2 ✔ ✔ NLP-nG-PRI Index probability ✔ ✔ 2 NLP-nG-DST-KL Kullback-Leiber divergence 2 ✔ ✔ NLP-nG-DST-JI Jaccard Index measure ✔ ✔ ✔ ✔ 4 NLP-nG-DST-TH Distance - Threshold 1 ✔ NLP-nG-DST-AF Distance - Avg. frequency 1 ✔ NLP-nG-DST-AC Distance - Avg. count 2 ✔ ✔ Total 1 4 7 3 1 4 7 1 9 1 1 2 7 5 8 3 8 6 1 2 3 4 5 3 March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 9

  11. S TATE OF T HE A RT REGARDING F EATURES Used By Code Description 11 14 16 24 28 33 34 38 45 46 48 49 51 52 54 56 57 58 59 65 66 Tot. 3 5 9 NLP-L-x String length ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ 16 NLP-LDN Number of domain levels 3 ✔ ✔ ✔ NLP-R-NUM-x Ratio of numerical characters ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ 8 NLP-R-VOW-x Ratio of vowel characters 4 ✔ ✔ ✔ ✔ NLP-R-CON-x Ratio of consonants characters 4 ✔ ✔ ✔ ✔ NLP-LANG Language hypothesis 2 ✔ ✔ NLP-LC-C Longest consecutive cons. sequence 5 ✔ ✔ ✔ ✔ ✔ NLP-LC-V Longest consecutive vowel sequence ✔ 1 NLP-LC-D Longest consecutive number seq. 3 ✔ ✔ ✔ NLP-COV Covariance matrix ✔ 1 NLP-R-MC Ratio of meaningful characters 3 ✔ ✔ ✔ NLP-LMS Length of longest meaningful string 0 NLP-WLU Number of “word-like” units 1 ✔ NLP-SQS Domain squatting score 1 ✔ NLP-LED Levenshtein Edit Distance ✔ ✔ 2 NLP-nG-FR Frequency distribution (histogram) 4 ✔ ✔ ✔ ✔ NLP-nG-E Entropy 11 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ NLP-nG-COV Covariance 1 ✔ NLP-nG-MEAN Mean of frequencies 1 ✔ NLP-nG-MED Median of frequencies ✔ 1 NLP-nG-VAR Variance of frequencies 1 ✔ NLP-nG-STD Standard deviation of frequencies ✔ 1 NLP-nG-PRO Pronounceability score 3 ✔ ✔ ✔ NLP-nG-NORM Normality score 3 ✔ ✔ ✔ NLP-nG-PRT Transition probability 2 ✔ ✔ NLP-nG-PRA Probability of appearance 2 ✔ ✔ NLP-nG-PRI Index probability ✔ ✔ 2 NLP-nG-DST-KL Kullback-Leiber divergence 2 ✔ ✔ NLP-nG-DST-JI Jaccard Index measure ✔ ✔ ✔ ✔ 4 NLP-nG-DST-TH Distance - Threshold 1 ✔ NLP-nG-DST-AF Distance - Avg. frequency 1 ✔ NLP-nG-DST-AC Distance - Avg. count 2 ✔ ✔ Total 1 4 7 3 1 4 7 1 9 1 1 2 7 5 8 3 8 6 1 2 3 4 5 3 March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 10

  12. S TATE OF T HE A RT REGARDING F EATURES - E XPLORE Scatter plot of 10.000 FQDNs Axis: Horizontal Length • Vertical Entropy • Dots: Green Legitimate • Other colours Malware • March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 11

  13. S TATE OF T HE A RT REGARDING F EATURES - E XPLORE Scatter plot of 10.000 FQDNs Axis: Horizontal Length • Vertical Entropy • Dots: Light Blue Legitimate • Red Malware • March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 12

  14. E XAMPLE OF F EATURE A NALYSIS Features that are interesting for Features that are interesting for their values their shapes Length of domain name Longest Consecutive (excluding TLD) Consonant Sequence March 2019 Mattia Zago – Scalable Detection of Botnets based on DGA: Efficient Feature Discovery Process in ML Techniques 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * ,

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * ,

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * , Jihyung Lee , Sangwoo Moon , InsuYun * , Deokjin Kim , Sungryoul Lee , Yung Yi , KyoungSoo Park * * Networked & Distributed

776 views • 41 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17

Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17

Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17 Outline Introduction & theory

570 views • 17 slides
Indexing Local Configurations of Features for Scalable Content-Based Video Copy Detection

Indexing Local Configurations of Features for Scalable Content-Based Video Copy Detection

Indexing Local Configurations of Features for Scalable Content-Based Video Copy Detection Sebastien Poullot, Xiaomeng Wu, and Shinichi Satoh National Institute of Informatics (NII) Michel Crucianu, Conservatoire National des Arts et

603 views • 24 slides
LLVM: built-in scalable code clone detection based on semantic analysis Institute for System

LLVM: built-in scalable code clone detection based on semantic analysis Institute for System

LLVM: built-in scalable code clone detection based on semantic analysis Institute for System Programming of the Russian Academy of Sciences Sevak Sargsyan : sevaksargsyan@ispras.ru Shamil Kurmangaleev : kursh@ispras.ru Andrey Belevantsev :

451 views • 19 slides
A scalable quantum architecture for dark matter detection Daniel Carney JQI/QuICS, University of

A scalable quantum architecture for dark matter detection Daniel Carney JQI/QuICS, University of

A scalable quantum architecture for dark matter detection Daniel Carney JQI/QuICS, University of Maryland/NIST Theory Division, Fermilab Based on Gravitational direct detection of dark matter DC , S. Ghosh, G. Krnjaic, J. M. Taylor,

387 views • 36 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Previously Instance recognition Local features: detection and description Window-based

Previously Instance recognition Local features: detection and description Window-based

4/11/2011 Previously Instance recognition Local features: detection and description Window-based models for Local feature matching, scalable indexing Spatial verification generic object detection Intro to generic object

429 views • 11 slides
faster c&c detection - strategies for finding algorithmically generated domain names

faster c&c detection - strategies for finding algorithmically generated domain names

. Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection

1.38k views • 99 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Scalable Architecture for Anomaly Detection and Visualization in Power Generating Assets

Scalable Architecture for Anomaly Detection and Visualization in Power Generating Assets

Scalable Architecture for Anomaly Detection and Visualization in Power Generating Assets Paras Jain, Chirag Tailor , Sam Ford, Liexiao (Richard) Ding, Michael Phillips, Fang (Cherry) Liu, Nagi Gabraeel, Polo Chau 1/13 Background

325 views • 13 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
Legal Review An Association TRENDS Special Focus sponsored by VENABLE LLP Venable is pleased

Legal Review An Association TRENDS Special Focus sponsored by VENABLE LLP Venable is pleased

2012 Annual Legal Review An Association TRENDS Special Focus sponsored by VENABLE LLP Venable is pleased Association legal concerns ran the to sponsor again the gamut in 2011, from the new Association TRENDS Annual area of Internet concerns,

511 views • 4 slides
STEM Schools Recruit and retain highly Use principles of inquiry qualified, committed and

STEM Schools Recruit and retain highly Use principles of inquiry qualified, committed and

STEM Schools Recruit and retain highly Use principles of inquiry qualified, committed and discovery to guide teachers hands-on, minds-on projects Set high expectations for all Foster creativity and students collaboration

363 views • 7 slides
Domain-Specific Reduction of Language Model Databases: Overcoming Chatbot Implementation

Domain-Specific Reduction of Language Model Databases: Overcoming Chatbot Implementation

Domain-Specific Reduction of Language Model Databases: Overcoming Chatbot Implementation Obstacles Nicholas J. Kaimakis, Dan M. Davis Samuel Breck, & Benjamin D. Nye HPC-Education Institute for Creative Technologies (ICT) and USC Univ.

235 views • 20 slides
Predictive Coding: The g Future of eDiscovery presenters Stephanie A. Tess Blair Scott

Predictive Coding: The g Future of eDiscovery presenters Stephanie A. Tess Blair Scott

Predictive Coding: The g Future of eDiscovery presenters Stephanie A. Tess Blair Scott A. Milner May 15th, 2012 Introduction Pl Please note that any advice contained in this presentation is not intended or t th t d i t i d i thi

564 views • 33 slides
Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status

Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status

Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status SEC. 2. Declaration of Policy. The State recognizes the vital role of information and communications industries such as content production,

406 views • 22 slides
FATIGUE AND ACL INJURY RISK Mason Chen Stanford Online High School 2020 JMP US Discovery

FATIGUE AND ACL INJURY RISK Mason Chen Stanford Online High School 2020 JMP US Discovery

FATIGUE AND ACL INJURY RISK Mason Chen Stanford Online High School 2020 JMP US Discovery Summit Project Motivation In the 2019 NBA Finals, Kevin Durant ruptured his Achilles while Klay Thompson suffered an ACL injury Thompson won 30

437 views • 18 slides
Pequea Valley School District Cathy Koenig August 30,2016 Eligibility for Gifted programming

Pequea Valley School District Cathy Koenig August 30,2016 Eligibility for Gifted programming

Pequea Valley School District Cathy Koenig August 30,2016 Eligibility for Gifted programming requires 2 things: Cognitive Ability and Learning Strengths Cognitive Ability The student must demonstrate cognitive strength by scoring

298 views • 8 slides
LCAP Meeting 10.10.19 Dr. Veronica Ortega Agenda Introductions What is the LCAP?

LCAP Meeting 10.10.19 Dr. Veronica Ortega Agenda Introductions What is the LCAP?

LCAP Meeting 10.10.19 Dr. Veronica Ortega Agenda Introductions What is the LCAP? 3-year cycle PVSD current goals What are the needs? Data walk and analysis Questions? Feedback Current District Goals What is the

420 views • 12 slides

More recommend