query log analysis
play

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD - PowerPoint PPT Presentation

Jun 05, 2023 •381 likes •659 views

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts , Maarten Bosteels, Jesse Davis and Wannes Meert Goal and Context Goal and Context The QLAD System Results Conclusion DNS The Domain Name System

  1. Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts , Maarten Bosteels, Jesse Davis and Wannes Meert

  2. Goal and Context Goal and Context The QLAD System Results Conclusion

  3. DNS 
 The Domain Name System www.cs.kuleuven.be 14.154.78.252 Browser DNS

  4. DNS 
 The Domain Name System Cache Root 
 Cache ? .be 174.34.28.193 Servers ? .cs.kuleuven.be ? .kuleuven.be 14.154.78.252 54.186.35.8 TLD 
 ? .cs.kuleuven.be Recursive Resolver 
 Browser Name Server (ISP) 1 4 . 1 5 4 . 7 8 . 2 5 2 Authoritative 
 Name Server

  5. DNS Belgium 
 The .be ccTLD resolver 1.5 million 
 domains Domain name registry 4 
 for .be/.vlaanderen/.brussels nameservers - Manage registration of domains - Provide infrastructure to answer queries 350 million 
 queries / day Highlights uit 2016. DNS Belgium. 
 URL: https://www.dnsbelgium.be/sites/default/files/generated/files/documents/cijfers%20deel%201%20-%20980px_v04_NL.pdf

  6. DNS Belgium 
 Current Situation PCAP files - stored for 10 days - analysed post-mortem

  7. DNS Belgium 
 Current Situation We believe that proactive and real-time analysis of this data could contribute to the resilience and security of DNS Belgium’s service.

  8. 4 Challenges 1. Huge data volume ‣ e ffi ciency and scalability ! ‣ easy to stay under the hood 2. No labelled or clean training data 3. Wide range of attacks, under constant evolution 4. Specific nature of DNS tra ffi c ‣ periodicity and trends ‣ few (typically two) packets per flow 


  9. Goal and Context The QLAD System The QLAD System Results Conclusion

  10. QLAD 
 System Overview ANOMALY 
 DATA TRANSFORMATION PRESENTATION DETECTION QLAD-global ENTRADA -- OR -- QLAD-UI DSC QLAD-flow

  11. Data Transformation 
 ENTRADA vs DSC ENTRADA DSC aggregate convert archive archive + SQL MonogDB API

  12. Data Transformation 
 ENTRADA vs DSC ENTRADA DSC • • Stores all tra ffi c Lightweight • • Allows a detailed analysis No additional infrastructure • SQL interface • • Storage cost and infrastructure No detailed (log level) analysis "ClientAddr": [ { "val": "195.238.24.111", "count": 1014 }, { "val": "195.238.25.53", "count": 70 }, { "val": "195.238.25.99", "count": 63 }, { "val": "195.238.24.117", "count": 61 }, { "val": "194.78.30.189", "count": 59 }, { "val": "42.236.23.92", "count": 55 }, { "val": "195.238.25.108", "count": 55 }, { "val": "42.236.23.91", "count": 54 }, { "val": "193.58.1.131", "count": 52 },

  13. QLAD- fl ow 
 Dewaele, G., Fukuda, K., Borgnat, P ., Abry, P ., & Cho, K. (2007). Extracting Hidden Anomalies using Sketch and Non Gaussian Multiresolution Statistical Detection Procedures. Proc. ACM SIGCOMM Workshop on Large-Scale Attack Defense (LSAD’07), 1–8. Hash packets h ₁

  14. QLAD- fl ow 
 Algorithm Count packets at different aggregation levels 2 1 3 0 2 1 3 1 0 0 2 0 1 Level 1 α₁ , β₁ 3 3 3 4 0 2 Level 2 α₂ , β₂ 6 7 2 Level 3 α₃ , β₃

  15. QLAD- fl ow 
 Compare groups at Algorithm each aggregation level Level 1 Level 2 Level 3 β₁ β₁ β₁ + + + α₁ α₁ α₁ Identify groups that Avg Distance differ from average Anomalous group

  16. QLAD- fl ow 
 Repeat with different Algorithm hash functions h1 h2 h3 ∩

  17. QLAD- fl ow 
 Shortcomings Some attacks span a lot of flows 
 e.g. DoS with spoofed IP address QLAD-flow is unable to detect these

  18. QLAD-global 
 Algorithm Observation : each tra ffi c anomaly causes changes in the distribution of one or more tra ffi c features Look at entropy!

  19. QLAD-global 
 Algorithm TLD TLD GET NEW RUN UPDATE SLD SLD ENTRADA ENTROPIES DETECTOR MODELS qtype qtype - EMA rcode rcode - Kalman -- OR -- client - ... client ASN ASN country country DSC response size response size 1 2 4 REPORT ANOMALIES - timestamp - features with anomaly 3

  20. Goal and Context The QLAD System Results Results Conclusion

  21. Data 
 Description of the evaluation dataset Sunday 12 to Monday 13 February 2017 1 42 GB server 58,345,819 queries

  22. Results 
 Detected anomalies QLAD-flow QLAD-flow Total QLAD-global (source IP) (query name) (unique) Bening Caching resolver 12 2 12 8 2 9 Email marketing 1 2 3 Other Malicious Spam sender 3 3 5 2 5 Domain enumeration Reflection attack 1 1 2 Phishing 1 1 3 2 1 4 DoS attack 1 1 1 Unknown TOTAL 35 4 9 39

  23. Results 
 Detected anomalies • No ground truth 
 → Impossible to use standard evaluation 
 → Manual inspection of detected anomalies • Only tip of the iceberg?

  24. Goal and Context The QLAD System Results Conclusion Conclusion

  25. Conclusion QLAD - ENTRADA / DSC - QLAD-flow - QLAD-global - QLAD-UI is a combination that works! However, Anomaly ≠ attack / abuse ➡ filtering needed Can this be automated?

  26. Thanks! Any questions? Interested? All software is open source! QLAD: https://github.com/DNSBelgium/qlad ENTRADA: https://github.com/SIDN/entrada DSC: https://github.com/DNS-OARC/dsc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SQL and Relational Calculus Although relational algebra is useful in the analysis of query

SQL and Relational Calculus Although relational algebra is useful in the analysis of query

Relational Calculus,Visual Query Languages, and Deductive Databases Chapter 13 SQL and Relational Calculus Although relational algebra is useful in the analysis of query evaluation, SQL is actually based on a different query language:

946 views • 90 slides
Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log Analyzer kees@neo4j.com Query Log dbms.logs.query.enabled=true # If the execution of query takes more time than this threshold, # the query is

1.12k views • 27 slides
FA N D A : A Novel Approach to Perform Follow-up Query Analysis Qian Liu, Bei Chen, Jian-Guang

FA N D A : A Novel Approach to Perform Follow-up Query Analysis Qian Liu, Bei Chen, Jian-Guang

FA N D A : A Novel Approach to Perform Follow-up Query Analysis Qian Liu, Bei Chen, Jian-Guang Lou, Ge Jin, Dongmei Zhang In Intr trodu oduct ction on Interaction Precedent Query User [1] : show the sales of BMW in 2009. System :

588 views • 20 slides
Query Processing Relevance feedback; query expansion; Web Search 1 Overview Indexes Query

Query Processing Relevance feedback; query expansion; Web Search 1 Overview Indexes Query

Query Processing Relevance feedback; query expansion; Web Search 1 Overview Indexes Query Indexi xing Ranki king Applica cation Results Documents User Information Query y Query analys ysis proce cess ssing Multimedia

740 views • 32 slides
Query Log Analysis for Enhancing Web Search Salvatore Orlando, University of Venice, Italy

Query Log Analysis for Enhancing Web Search Salvatore Orlando, University of Venice, Italy

Query Log Analysis for Enhancing Web Search Salvatore Orlando, University of Venice, Italy Fabrizio Silvestri, ISTI - CNR, Pisa, Italy From tutorials given at IEEE / WIC / ACM WI/IAT'09 and ECIR09 Query Log Analysis for Enhancing Web

1.43k views • 117 slides
Query Op)miza)on 1 Query op)miza)on Given an SQL query,

Query Op)miza)on 1 Query op)miza)on Given an SQL query,

Query Op)miza)on 1 Query op)miza)on Given an SQL query, the query op)mizer tries to figure out the order of opera)ons that will make the

550 views • 23 slides
Query Execu*on Declara*ve Query (SQL) We start from

Query Execu*on Declara*ve Query (SQL) We start from

SQL The Query Language R & G - Chapter 5 2 Query Execu*on Declara*ve Query (SQL) We start from here Query Op*miza*on and Execu*on (Rela*onal)

808 views • 44 slides
Query Execution 2 and Query Optimization Instructor: Matei Zaharia cs245.stanford.edu Query

Query Execution 2 and Query Optimization Instructor: Matei Zaharia cs245.stanford.edu Query

Query Execution 2 and Query Optimization Instructor: Matei Zaharia cs245.stanford.edu Query Execution Overview Query representation (e.g. SQL) Logical query plan (e.g. relational algebra) Query optimization Optimized logical plan Physical

1.17k views • 92 slides
Query Execu:on Declara:ve Query (SQL) We start from

Query Execu:on Declara:ve Query (SQL) We start from

SQL III The Query Language R & G - Chapter 5 Based on Slides from UC Berkeley and book. Query Execu:on Declara:ve Query (SQL) We start from here

1.02k views • 64 slides
Query Execu:on Declara:ve Query (SQL) We start from

Query Execu:on Declara:ve Query (SQL) We start from

SQL The Query Language R & G - Chapter 5 Based on Slides from UC Berkeley and book. 2 Query Execu:on Declara:ve Query (SQL) We start from

689 views • 34 slides
Query Understanding: A Manifesto Daniel Tunkelang queryunderstanding.com Overview What is

Query Understanding: A Manifesto Daniel Tunkelang queryunderstanding.com Overview What is

Query Understanding: A Manifesto Daniel Tunkelang queryunderstanding.com Overview What is query understanding? Query performance prediction. Query rewriting. Query suggestions. Search is a conversation. tl;dr: Query

940 views • 37 slides
Perfect Query FORMULA 5 critical sections in every successful query letter (c) 2019

Perfect Query FORMULA 5 critical sections in every successful query letter (c) 2019

Perfect Query FORMULA 5 critical sections in every successful query letter (c) 2019 GetaBookDeal101.com is this you Why am I not hearing back? the query conundrum giving up too early the query conundrum blaming the system the query

974 views • 61 slides
CS 525: Advanced Database convert answer Organisation logical query plan execute apply laws

CS 525: Advanced Database convert answer Organisation logical query plan execute apply laws

SQL query parse parse tree CS 525: Advanced Database convert answer Organisation logical query plan execute apply laws 08: Query Processing statistics Pi improved l.q.p Parsing and Analysis pick best estimate result sizes

323 views • 18 slides
Database Theory: Conjunctive Queries & Static Analysis CS 645 Feb 20, 2006 1 Life of a

Database Theory: Conjunctive Queries & Static Analysis CS 645 Feb 20, 2006 1 Life of a

Database Theory: Conjunctive Queries & Static Analysis CS 645 Feb 20, 2006 1 Life of a database theoretician Expressiveness of query languages Any query in L1 can be expressed in L2 Query q cannot be expressed in L

1.21k views • 52 slides
Module 13: Optimizing Query Performance Overview Introduction to the Query Optimizer

Module 13: Optimizing Query Performance Overview Introduction to the Query Optimizer

Module 13: Optimizing Query Performance Overview Introduction to the Query Optimizer Obtaining Execution Plan Information Using an Index to Cover a Query Indexing Strategies Overriding the Query Optimizer Introduction to

450 views • 34 slides
Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts Promotor: Prof. Hendrik Blockeel Thesis Defence Co-promoter: Ronald Geens Jun 30, 2017 Goal and Context Goal and Context The QLAD System Results

359 views • 31 slides
Cloth Simulation What make cloth hard to simulate? Due to the thin and flexible nature

Cloth Simulation What make cloth hard to simulate? Due to the thin and flexible nature

Cloth Simulation What make cloth hard to simulate? Due to the thin and flexible nature of cloth, it produces detailed folds and wrinkles, which in turn can lead to complicated self- collisions. Cloth is characterized by strong

713 views • 31 slides
Parts 3 and 4 Satnam Singh Microsoft Research Cambridge Overview Asynchronous and

Parts 3 and 4 Satnam Singh Microsoft Research Cambridge Overview Asynchronous and

Introduction to VHDL Parts 3 and 4 Satnam Singh Microsoft Research Cambridge Overview Asynchronous and Synchronous resets std_logic and resolved signals 3 counter implementations Test bench Configurations use of wat ; in

592 views • 15 slides
Garbage Collection CS 351: Systems Programming Michael Saelee <lee@iit.edu> Computer

Garbage Collection CS 351: Systems Programming Michael Saelee <lee@iit.edu> Computer

Garbage Collection CS 351: Systems Programming Michael Saelee <lee@iit.edu> Computer Science Science = automatic deallocation i.e., malloc, but no free ! Computer Science Science system must track status of allocated blocks free

1.18k views • 51 slides
Welcome! Accessibility and the ADA: Facility Standards Update will begin at 2:00 p.m. Eastern

Welcome! Accessibility and the ADA: Facility Standards Update will begin at 2:00 p.m. Eastern

2/7/2014 Welcome! Accessibility and the ADA: Facility Standards Update will begin at 2:00 p.m. Eastern Time 1 Listening to the Webinar Online: Please make sure your computer speakers are turned on or your headphones are plugged in

759 views • 27 slides
Unifying Traditional and Unifying Traditional and Formal Verification Through Formal

Unifying Traditional and Unifying Traditional and Formal Verification Through Formal

Unifying Traditional and Unifying Traditional and Formal Verification Through Formal Verification Through Property Specification Property Specification Designing Correct Circuits 2002 Designing Correct Circuits 2002 Harry Foster Harry

787 views • 20 slides
Practical Techniques for Verification and Validation of Robots Kerstin Eder with a demo by

Practical Techniques for Verification and Validation of Robots Kerstin Eder with a demo by

Practical Techniques for Verification and Validation of Robots Kerstin Eder with a demo by Dejanira Araiza Illan University of Bristol and Bristol Robotics Laboratory Would you swallow a robot? The Safety Challenge Autonomous Systems

705 views • 48 slides
LPWAN WG WG Chairs: Alexander Pelov <a@ackl.io> Pascal Thubert <pthubert@cisco.com>

LPWAN WG WG Chairs: Alexander Pelov <a@ackl.io> Pascal Thubert <pthubert@cisco.com>

LPWAN WG WG Chairs: Alexander Pelov <a@ackl.io> Pascal Thubert <pthubert@cisco.com> AD: Suresh Krishnan <suresh.krishnan@ericsson.com> 98 th IETF, Chicago, March 29 th , 2017 1 LPWAN@IETF98 Note Well Any submission to the

1.44k views • 119 slides
Populations of Galaxies and their Formation at z < 7 Christopher J. Conselice (Caltech)

Populations of Galaxies and their Formation at z < 7 Christopher J. Conselice (Caltech)

Populations of Galaxies and their Formation at z < 7 Christopher J. Conselice (Caltech) Facing the Future: A Festival for Frank Bash Austin, October 18, 2003 Motivation The basic idea behind galaxy formation objects start small and

660 views • 37 slides

More recommend