procopiou anna
play

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 - PowerPoint PPT Presentation

Jul 02, 2023 •268 likes •1.17k views

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware Domains at the Upper DNS Hierarchy -M.Antonakakis et. al 2. ZMap: Fast Internet-wide Scanning and Its Security Applications -Z. Durumeric et. al 2

  1. Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1

  2. Articles 1. Detecting Malware Domains at the Upper DNS Hierarchy -M.Antonakakis et. al 2. ZMap: Fast Internet-wide Scanning and Its Security Applications -Z. Durumeric et. al 2

  3. Agenda 1. ARTICLE 1: Detecting Malware Domains at the Upper DNS Hierarchy • Main idea of the article • Background and Related work • Author ’ s proposal • Differences from prior art • Statistical features • Evaluation • Conclusions 3

  4. Detecting Malware Domains at the Upper DNS Hierarchy Key Ideas MISCREANTS USE DNS TO BUILD MALWARE-RELATED DOMAIN NAMES DETECTION SYSTEM  KOPIS MALICIOUS NETWORK INFRASTRUCTURES FOR MALWARE C&C 4

  5. BACKGROUND NEEDED Domain Name System (DNS) 5

  6. Domain name system (DNS) hierarchy 6

  7. Domain Name System ty types of of DN DNS queries — recursive, iterative 7

  8. DNS Query Recursive query 8

  9. DNS Query Iterative query www.google.com. 9

  10. Resource Record Resource Record (RR)? Mapping from a domain name to IP Authoritative domain name tuples Who is looking up what and where is pointing? Q j (d) = (T j , R j , d, IPs j ) 10

  11. Benign websites An attacker compromises a benign site (domain) to How distribute malware, or perform other nefarious activity (e.g., Phishing, Spam). attackers Malicious site leverage An attacker creates a malicious site (domain) to distribute malware, or perform other nefarious domains in activity (e.g., Phishing, Spam). their attacks? Command & Control (C&C) What an attacker uses to execute their own code on the victim’s computer using payload.

  12. Related Work 1. Measurements and Laboratory Simulations of the Upper DNS Hierarchy, D. Wessels, et. Al • Examining DNS caching behavior of RECURSIVE DNS serves from the point of view of TLD and AuthNS servers 2. An Internet Wide View into DNS Lookup Patterns, Hao et al. • DNS look-up patterns measured from .com TLD servers • DRAWBACK: not discuss how the findings may be leveraged for detection purposes 3. D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In In Proceedings of the 13 th Network and Distributed System Security Symposium NDSS, 2006 4. S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium, pages 149 – 167, Berkeley, CA, USA, 2002. USENIX Association 5. N. Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms. In In Proceedings of the 13th USENIX Security Symposium, pages 29 – 44, 2004 6. M. P. Collins, T. J. Shimeall, S. Faber, J. Janies, R. Weaver, M. De Shon, and J. Kadane. Using uncleanliness to predict future botnet addresses. In Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, IMC ’ 07, pages 93 – 104, New York, NY, USA, 2007. ACM 7. M. Felegyhazi, C. Keibich, and V. Paxson. On the potential of proactive domain blacklisting. In Third USENIX LEET Workshop, 2010 12

  13. Motivation of the paper IP-based blocking techniques cannot stay up-to-date due to the humongous number of domains attackers use for C&C DNSBL-based technologies cannot keep up with the volume of new domains botnets use Malware families utilize domains to discover the up-to-date C&C addresses Time gap between the release of a malware and its discovery 13

  14. Response Problem malicious use of DNS Existed solution static domain blacklists containing known malware domains Drawback limited effectiveness as humongous number of new domains appear on the Internet every day  difficult to keep them up-to-date 14

  15. Qualities of DYNAMICALLY Detection Global visibility into DNS request and DNS operators independently deploy Accurately detect malware-related system response messages related to large the system and detect malware- domains even in the absence of DNS zones related domains within their reputation data for the IP address authority zones space pointed to by the domains 15

  16. Qualities of DYNAMICALLY Detection system GLOBAL VISIBILITY INTO DNS DNS OPERATORS INDEPENDENTLY ACCURATELY DETECT MALWARE- REQUEST DEPLOY THE SYSTEM AND DETECT RELATED DOMAINS EVEN IN THE MALWARE-RELATED DOMAINS ABSENCE OF REPUTATION DATA FOR RESPONSE MESSAGES RELATED TO WITHIN THEIR AUTHORITY ZONES THE IP ADDRESS SPACE POINTED TO LARGE DNS ZONES BY THE DOMAINS Important as IP Practical, low-cost reputation data is Early warning and time-efficient difficult to accumulated detection & response and fragile 16

  17. New Approach: Kopis DNS hierarchical distributed database thus in some point we can have global visibility TLDs & AuthNSs Why not roots? Even we could have the same visibility the caching effect is too high to actually make that signal significant 17

  18. System’s Goal Detect malware-related domain names as they rise WITHOUT need of a sample 18

  19. Passively monitors DNS traffic at the upper levels of DNS hierarchy Introduces alternative IP-reputation agnostic Contributions classification signal for DNS Of Kopis Identify rising botnets weeks before corresponding malware is found Detect accurately malware domains by analysing global DNS query resolution patterns 19

  20. Notos Prior Art Exposure 20

  21. Differences from Prior Art NOTOS & EXPOSURE KOPIS • Can be applied on the recursive ISP • Global visibility on requesters focused in specific set of zones • Almost global visibility on the point of view of zones (e.g. • Predictions on domains only in that zone .ru, .cn) • Predict accurately malware-related domain without the need • Partial visibility of the point of view of requesters of IP reputation data • Rely heavily on features based on IP reputation • Extracts statistical features specifically chosen to harvest the “malware signal” as seen from the upper DNS hierarchy 21 • Leverage RDNS-level DNS traffic monitoring

  22. Results SYSTEMS TRUE POSITIVES FALSE POSITIVES NOTOS 96.80% 0.38% EXPOSURE 98% 7.90% KOPIS 98.40% 0.3%-0.5% 22

  23. System Overview Training Mode Operation Mode 23

  24. Requester Diversity Statistical Feature Requester Profile Families Resolved IPs Reputation 24

  25. ̵ ̵ • Req equester Div Diversi sity er 1 0.9 0.8 0.7 CDF Characterize if the machines that query a given 0.6 • 0.5 domain name are localized or globally 0.4 0.3 distributed al 0.2 0.1 0 0 200 400 600 800 1000 1200 Malicious domain names have a different (a) AS Diversity average distribution from legitimate ones • 1 0.9 0.8 For both features the benign domain names 0.7 CDF 0.6 have a bimodal distribution 0.5 0.4 0.3 0.2 • ­­ ain 0.1 Malicious domain names are spread across 0 0 20 40 60 80 100 the spectrum (b) CC Diversity m Malicious Benign The malwarerelated domain names cover a larger spectrum of diversities: Maybe due to the success of the malware distribution mechanisms they employ • 25

  26. Requester Profile • s. • h (A) ed Benign Req equester Malicious 0.0 0.1 0.2 0.3 0.4 PDF Profi file le • We model differently 0 5 10 15 20 Determine if machines resolving the Number of requester IPs per CIDR ­­ domain names are from networks that (B) historically have been prone to infections or not Benign Malicious • 0e+00 2e−04 4e−04 • PDF Assign higher weight to servers with many clients – ke it significantly harder to dilute • Not all querying machines have 0 1000 2000 3000 4000 5000 similar characteristics the overall classification signal Average Weight • We would like to distinguish between requesters located in ISP/small business and home networks 26

  27. Describes whether, and to what extent, the IP address space pointed to by Req equester r IPs- a given domain has been historically linked with known malicious activities Rep eputation or known legitimate services. (Malware Evidence, SBL Evidence, Whitelist Evidence) 27

  28. Evaluation Key Observation from Datasets Datasets: Traffic from 1. 2 major domain registrars (8 months) 2. .ca TLD (~2months) Observations: Data reductions process (tuples) does not affect the detection ability of Kopis. Not all domain names have the same interest. Spend time to analyze the most interesting based on the lookup requester diversity (100.000 most diverse domains). 28

  29. Model selection Random Forest Classifier(RF) • 2 – 5 day training window • RESULTS: (5day observation window) TP-rate = 98.4% FP-rate = 0.3% 29

  30. Evaluation Overall Detection Performance 30

  31. Evaluation New and Previously Unclassified Domains TP-rates for different observation periods using an 80/20 train/test dataset split FP-rates for different observation periods using an 80/20 train/test dataset split 31

  32. Deltas The distribution of the malware as they arrived in our Using domain name from testing dataset in 80/20 mode malware feed follow the same distribution as the botnet 32

  33. Canadian TLD 33

  34. IMDDOS-Start 34

  35. IMDDOS Peak 35

  36. Botnet ’ s Growth 36

  37. IMDDOS-Early Detection • The average lookup volume every day was 438,471 with the average de ­ duplicated query tuples in the range of 3,883. 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos Grandma Chad Solomon Anthony Solomons Family Ronald Palumbo Anna Palumbos Grandpa Adam Labotka Allison Labotkas Father Bradley Baker Family

537 views • 17 slides
Creative Audio Programming for the Web with Tone.js Anna Xamb anna.xambo@dmu.ac.uk Music,

Creative Audio Programming for the Web with Tone.js Anna Xamb anna.xambo@dmu.ac.uk Music,

Creative Audio Programming for the Web with Tone.js Anna Xamb anna.xambo@dmu.ac.uk Music, Technology and Innovation - Institute for Sonic Creativity (MTI^2) De Montfort University Women Who Code, School of Media Arts, Columbia College

411 views • 14 slides
2015-2016 The City of Anna and Anna IS D are preparing for impending growth. New Housing

2015-2016 The City of Anna and Anna IS D are preparing for impending growth. New Housing

2015-2016 The City of Anna and Anna IS D are preparing for impending growth. New Housing developments Expanding utilities and roadways S chool planning and building For more information visit www.annaisd.org Click S trategic

348 views • 7 slides
Duality via truth for distributive interlaced bilattices Anna Mu cka, Anna Maria Radzikowska

Duality via truth for distributive interlaced bilattices Anna Mu cka, Anna Maria Radzikowska

Duality via truth for distributive interlaced bilattices Anna Mu cka, Anna Maria Radzikowska Faculty of Mathematics and Information Science Warsaw University of Technology The 4th Novi Sad Algebraic Conference & Semigroups and

686 views • 43 slides
Anna Kirchgater Back to School Night Thursday, August 18, 2016 Anna Kirchgater will provide a

Anna Kirchgater Back to School Night Thursday, August 18, 2016 Anna Kirchgater will provide a

Anna Kirchgater Back to School Night Thursday, August 18, 2016 Anna Kirchgater will provide a learning community that challenges ALL students to realize their greatest potential. Welcome to Anna Kirchgater GREAT schools Have GREAT people Who

378 views • 16 slides
ANTIFUNGAL A GENTS . Presented By Presented By Nikalje 1 * , Dr. Anna Dr. Anna Pratima

ANTIFUNGAL A GENTS . Presented By Presented By Nikalje 1 * , Dr. Anna Dr. Anna Pratima

M OLECULAR SIEVES AND ULTRASOUND ASSISTED SYNTHESIS OF N OVEL 1,3,4- OXADIAZOLE -2- THIONE DERIVATIVES AS POTENTIAL ANTIFUNGAL A GENTS . Presented By Presented By Nikalje 1 * , Dr. Anna Dr. Anna Pratima Pratima G. G. Nikalje Nimbalkar 2

619 views • 28 slides
Anna Karasiska tr WarszaWa CREDITS director Anna Karasiska dramaturgy Magdalena

Anna Karasiska tr WarszaWa CREDITS director Anna Karasiska dramaturgy Magdalena

Anna Karasiska tr WarszaWa CREDITS director Anna Karasiska dramaturgy Magdalena Rydzewska, Jacek Telenga set design and costumes Paula Grocholska choreography Magda Ptasznik light design Szymon Kluz cast Agata Buzek, Dobromir

440 views • 15 slides
Anna-Jayne Metcalfe @annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If

Anna-Jayne Metcalfe @annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If

Anna-Jayne Metcalfe @annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If you want to ask something... Dont wait until the end just ask . 2 Static Code Analysis Tools Analyse a codebase by parsing the code

616 views • 12 slides
ANNA SETTON TOUR 2019 - 2020 Brazilian singer Anna Setton has been pointed by music critics as the

ANNA SETTON TOUR 2019 - 2020 Brazilian singer Anna Setton has been pointed by music critics as the

ANNA SETTON TOUR 2019 - 2020 Brazilian singer Anna Setton has been pointed by music critics as the best novelty of the moment. Anna has just made her first European tour, releasing her first solo album, very well received by the critics and

605 views • 14 slides
Healthwatch Committee Meeting May 2014 Welcome and apologies Anna Bradley Minutes from last

Healthwatch Committee Meeting May 2014 Welcome and apologies Anna Bradley Minutes from last

Healthwatch Committee Meeting May 2014 Welcome and apologies Anna Bradley Minutes from last Committee Meeting Anna Bradley Declarations of interests Anna Bradley Chairs Report Anna Bradley Chief Executives Report Dr Katherine Rake

795 views • 66 slides
Anna Slobodova Formal Verification Team Shilpi Goel Anna Slobodova Rob Sumners Sol Swords

Anna Slobodova Formal Verification Team Shilpi Goel Anna Slobodova Rob Sumners Sol Swords

Using Formal Methods in an Organization with a Simulation-Based Mentality IWLS 2017 Anna Slobodova Formal Verification Team Shilpi Goel Anna Slobodova Rob Sumners Sol Swords Centaur Technology Founded in 1995 as a startup to lower cost of

795 views • 17 slides
@annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If you want to ask

@annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If you want to ask

Anna-Jayne Metcalfe @annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If you want to ask something... Dont wait until the end just ask Photo by Anna-Jayne Metcalfe @annajayne So Whats the Problem? Our code is

467 views • 20 slides
ACT and ADLAB PRO projects Anna Matamala anna.matamala@uab.cat MAPIC. Vigo, 5 October 2017

ACT and ADLAB PRO projects Anna Matamala anna.matamala@uab.cat MAPIC. Vigo, 5 October 2017

ACT and ADLAB PRO projects Anna Matamala anna.matamala@uab.cat MAPIC. Vigo, 5 October 2017 2015-1-ES01-KA2013-015734, 2016-1-IT02-K203-024311, 2014SGR0027 Research on training in accessibility ACT (Accessible Culture and Training). 2015-2018,

290 views • 14 slides
Towards generating stories about video Anna Rohrbach The End-of-End-to-End A Video

Towards generating stories about video Anna Rohrbach The End-of-End-to-End A Video

Towards generating stories about video Anna Rohrbach The End-of-End-to-End A Video Understanding Pentathlon, CVPR 2020 https://anna-rohrbach.net Lets look at a human generated video description A young singer with moppy dark brown hair

1.24k views • 65 slides
Don Juans Troubles Don Juans Troubles Hey, Anna, how are you? Don Juans Troubles Hey,

Don Juans Troubles Don Juans Troubles Hey, Anna, how are you? Don Juans Troubles Hey,

Don Juans Troubles Don Juans Troubles Hey, Anna, how are you? Don Juans Troubles Hey, Anna, how I am are you? Magda!!! Noooo, my Precioussss... Don Juans Diary 1.0 Meet HashMap A variable type that stores values accessed

988 views • 60 slides
Class of 2022 Anna Dechant, 9th Grade Counselor (785) 309-3513 anna.dechant@usd305.com Topics

Class of 2022 Anna Dechant, 9th Grade Counselor (785) 309-3513 anna.dechant@usd305.com Topics

Class of 2022 Anna Dechant, 9th Grade Counselor (785) 309-3513 anna.dechant@usd305.com Topics *Graduation Requirements *Course Options *KS Qualified Admissions Curriculum & KS Scholar Curriculum *NCAA & NAIA *Eligibility *9th Grade

440 views • 27 slides
Steve Bernier, M.Sc., Senior Architect & Project Leader, Advanced Radio Systems,

Steve Bernier, M.Sc., Senior Architect & Project Leader, Advanced Radio Systems,

Steve Bernier, M.Sc., Senior Architect & Project Leader, Advanced Radio Systems, Communications Research Centre Canada Outline The Software Communications Architecture (SCA) Compliance SCA compliance Domain-specific API

481 views • 27 slides
Linking DNS with blockchain-based ENS records Brantly Millegan / brantly@ens.domains Hello! Me :

Linking DNS with blockchain-based ENS records Brantly Millegan / brantly@ens.domains Hello! Me :

Linking DNS with blockchain-based ENS records Brantly Millegan / brantly@ens.domains Hello! Me : Brantly Millegan Work : True Names LTD (Singaporean non-profit) Open source project : Ethereum Name Service Website : https://ens.domains Blockchain

796 views • 31 slides
System for DNS Manos Antonakakis, Roberto Perdisci , David Dagon, Wenke Lee, and Nick Feamster

System for DNS Manos Antonakakis, Roberto Perdisci , David Dagon, Wenke Lee, and Nick Feamster

Notos: Building a Dynamic Reputation System for DNS Manos Antonakakis, Roberto Perdisci , David Dagon, Wenke Lee, and Nick Feamster College of Computing Georgia Institute of Technology Atlanta, Georgia ONR MURI Review Meeting June 10, 2010

276 views • 17 slides
Ed Law 3012-d You should have picked up APPR information for teachers 6-5-2016 as you came

Ed Law 3012-d You should have picked up APPR information for teachers 6-5-2016 as you came

Ed Law 3012-d You should have picked up APPR information for teachers 6-5-2016 as you came in The purpose of todays meeting is to provide information regarding the Teacher Performance component of the APPR There will be time for

415 views • 17 slides
College Night Parent Presentation Counselors: Mrs. Gonzalez(A-E) Mrs. Bailey (F-I & Migrant)

College Night Parent Presentation Counselors: Mrs. Gonzalez(A-E) Mrs. Bailey (F-I & Migrant)

College Night Parent Presentation Counselors: Mrs. Gonzalez(A-E) Mrs. Bailey (F-I & Migrant) Mrs. Avila (J-P) Mrs. Sanchez (Q-Z) Ms. Ramirez (Counseling Intern) SUHSD High

595 views • 31 slides
Safety Checking for Domain Relational Calculus Queries Using Alloy Analyzer Abhabongse

Safety Checking for Domain Relational Calculus Queries Using Alloy Analyzer Abhabongse

M asters Project Safety Checking for Domain Relational Calculus Queries Using Alloy Analyzer Abhabongse Plane Janthong Department of Computer Science, University of California, Santa Barbara CREATED AND EDITABLE USING IPE (

1.29k views • 125 slides
6/16/2020 Administrator Academy #1451 Teacher Evaluator Competency Skill Building for

6/16/2020 Administrator Academy #1451 Teacher Evaluator Competency Skill Building for

6/16/2020 Administrator Academy #1451 Teacher Evaluator Competency Skill Building for Pre-Qualified Teacher Evaluators Danielson Framework Domains 1 & 4 Materials Developed by: Dr. Catherine Siele Berning Dr. Diane P. Cody Consultants

335 views • 6 slides
Senior Class Visits Fall 2018 Preparing For Your Senior Year and Postsecondary Plans Credits to

Senior Class Visits Fall 2018 Preparing For Your Senior Year and Postsecondary Plans Credits to

Mr. Scott Crosby Mrs. Stacy Strobel College & Career Counselor Seniors H-O and new seniors Mrs. Lindsey Wedor Mr. Tim Garland Seniors P-Z Seniors A-G Senior Class Visits Fall 2018 Preparing For Your Senior Year and Postsecondary

490 views • 27 slides

More recommend