system for dns
play

System for DNS Manos Antonakakis, Roberto Perdisci , David Dagon, - PowerPoint PPT Presentation

Jun 01, 2023 •216 likes •405 views

Notos: Building a Dynamic Reputation System for DNS Manos Antonakakis, Roberto Perdisci , David Dagon, Wenke Lee, and Nick Feamster College of Computing Georgia Institute of Technology Atlanta, Georgia ONR MURI Review Meeting June 10, 2010

  1. Notos: Building a Dynamic Reputation System for DNS Manos Antonakakis, Roberto Perdisci , David Dagon, Wenke Lee, and Nick Feamster College of Computing Georgia Institute of Technology Atlanta, Georgia ONR MURI Review Meeting June 10, 2010

  2. Form Approved Report Documentation Page OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2. REPORT TYPE 10 JUN 2010 00-00-2010 to 00-00-2010 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Notos: Building a Dynamic Reputation System for DNS 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER Georgia Institute of Technology,College of Computing,Atlanta,GA,30332 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES MURI Review, June 2010. U.S. Government or Federal Rights License 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE Same as 17 unclassified unclassified unclassified Report (SAR) Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

  3. Problems with Static Blacklisting • Malware families utilize large number of domains for discovering the “up -to- date” C&C address – Examples are the Sinowal, Bobax and Conficker bots families that generate tens of thousands new C&C domains every day – IP-based (dynamic or not) blocking technologies cannot keep up with the number of IP addresses that the C&C domains typically use – DNSBL based technologies cannot keep up with the volume of new domain names the botnet uses every day • Detecting and blocking such type of agile botnets cannot be achieve with the current state-of-the-art 11/4/09 ONR MURI Review 2

  4. Outline • Notos – Notations, Passive DNS trends, and anchor- zones – Network based profile modeling – Network and zone based profiles clustering – Reputation function – System implementation – Results • Conclusions and Future Work 11/4/09 ONR MURI Review 3

  5. Notos • Network and zone based features that capture the characteristics of resource provisioning, usages, and management by domains. – Learn the models of legitimate and malicious domains • Classify new domains with a very low FP% (0.3846%) and high TP% (96.8%). – Days or even weeks before they appear on static blacklists. 11/4/09 ONR MURI Review 4

  6. Notation & Terminology • Resource Record (RR) – www.example.com 192.0.32.10 • 2nd level domain (2LD) and 3rd level domain (3LD) – For the domain name www.example.com: 2LD is the example.com and 3LD is the www.example.com • Related Historic IPs (RHIPs) – All “routable” IPs that historically have been mapped with the domain name in the RR, or any domain name under the 2LD and 3LD • Related Historic Domains (RHDNs) – All fully qualified domain names (FQDN) that historically have been linked with the IP in the RR, its corresponding CIDR and AS 11/4/09 ONR MURI Review 5

  7. Passive DNS data • Successful DNS resolutions that can be observed in a given network • Data set has traffic from 2 ISP sensors - one in west coast and one in east coast, also data from SIE • We observe that different classes of zones demonstrate different passive DNS behaviors • The number of new domain names and IPs we observe every day is in the range of 150,000 to 200,000 11/4/09 ONR MURI Review 6

  8. Pep.n t/ ~ ~ ~ ~ ~ /' /!_ · ~i~ t -· ·~v/·.f"\ ~ ~ - ~ . ~ . : m - 1 Passive DNS trends (c) Akamai Class Growltl (d) CON Class Growltl (a) Uniqu:e AIRs In Th e T wo I SPs Sensors (per day} Over Ti me (Days) Over Time (Days) ! r .... . . ..... ... . 10000 10000 ....-----.-- --. f"o. f/ ..... . A v e+ ' .... . -J ., .J... .- •• • :}.. ; 1. - • \/ • I l j 5 80 1000 i Unique ARs ------ ---- 1000 0 1 0 20 30 40 50 60 70 Days 100 (b) N mv A.R s Growtfl ln pONS OB For All Z ones 10 : : -: I : l 10 '-"- 100 10 100 10 1 Unique ON Uniquo DNs U ni que IPs Uni que IP 0 10 20 30 40 50 60 70 New RRs New RRs Oavs ( g) Common Class Growth (h) CDF Of RR Growth (e) Pop Class Growth (f) Dyn. DNS Class Growth Over Ti me (Days) Fo r All Classes Over Time (Days) Ove r Tme (Days) 100000 ,....---....-----. 10000 "' 1000 "' "' E E 1000 :::> 10 2 0 0 '!' .. > 100 > > . 100 10 ./ 10 1 0_01 1 10 100 10 100 10 100 0.1 CON Unique DN Unique DN Unique DN Akamai .. Unique IP Common ..... ... Dynamic Unique IP Unique IP s New RRs New RRs Pop New RRs Anchor classes in pDNS: Akamai, CDN, Popular, DYNDNS and Common 11/4/09 ONR MURI Review 7 ee

  9. Features Notos computes three feature vectors for a RR, based on its RHIPs, RHDNs and Evidence data. The analysis of these feature vectors is forwarded to the reputation engine. These 3 vectors are the Network Based Feature Vector [18], Zone Based Feature Vector [17] and the Evidence Based Feature Vector [6]. 11/4/09 ONR MURI Review 8

  10. Network Profile Modeling • Train a Meta-Classifier based on the 5 anchor-classes • The network feature vector of a domain name d is translated into the network modeling output (NM(d)) The NM(d) is a feature vector composed from the confidence scores for each different anchor-class 11/4/09 ONR MURI Review 9

  11. Domain Clustering The network and zone based feature vectors of a domain d are used to produce the domain clustering output (DC(d)) In this step we are able to characterize unknown domains within clusters based on already labeled domains in close proximity . The DC(d) is a 5-feature vector characterizing the position of d in the cluster . 11/4/09 ONR MURI Review 10

  12. Reputation Function • Each domain d in our dataset is transformed into three feature vectors by Notos: NM(d) , DC(d) and EV(d) (evidence profile output); these vectors assemble the reputation vector v(d) • The reputation function f(v(d)) assigns a score to the domain name d between [0,1] • The reputation function is a statistical classifier (Decision Tree with Logistic Boost - after model selection) • The reputation function is trained using labeled domain data 11/4/09 ONR MURI Review 11

  13. Operational Model of Notos • Notos utilizes the Off-line mode to train classifiers, build the clusters and train the reputation function • In the In-line mode , Notos assigns reputation to new RRs observed at the monitoring point 11/4/09 ONR MURI Review 12

  14. . co~n, .,~- Dyna~nic Aka~nai ~- Li ~e - - - Pep.n ~- ~ ~nyspace, Aka~nai ~ _____ _..,.- - --- - .,_ - - - Malicous £~-7} . - - -- --- - - - - Conf'.C Sinkhole -{B} - (net) - - - - - - and NTP .. /. - - - - - J ....... \, - - ...... - - - -- ISP-Rev. - - - ...... Lookups -{0-7} - .. 1 - Malicious -{B} .... - 2 .. - Malicious, - - f'ew Popular - 3 f'ew CDN 0 _.. - (net) - - - DNs : - - - 4 - - - ; Akadns and - ; Google -{0-S,B .Ji - - - 5 : Mal. -{6,7,9} _ 9 _ Dyn. DNS -{7,9} .- - - - - - - - - - .. - - .. - .. -- - 6 - - - - - ISP-Rev. - 8 - - Lookups -- 7 - - - - - - - - - - - - 1' 1' 1 • - - t f'acebook, _ - · - CDNs, Aka~naitech Malware and _ _ _ - Few Spa~n, Malicious -- - -- ........ -- -- - CDNs • - -- _..,...._ --- - -- - -- - -- - -- 11/4/09 ONR MURI Review 13 ee

  15. ~ . ~ ~ Pep.n Results from the Reputation Function False Positive Rate vs True Positive Rate 1 0.99 0.98 0.97 : over All Pos. vs Threshold - TP ' Cl> al 1 a: 0.96 0.98 Cl> - .::: 0.96 ' § 0.94 0.95 " (j) 0.92 " (j) 0 0.9 a... " (3 0.94 0.88 Cl> a... 0.86 .._ ::::::1 0.84 I- 0.93 ROC ····+- '·· 0.82 0. 8 .,_ .__.__.___.___......___.......___.......___.......___..___. 0 0.10.2J.3).40.fD.00.70.00.9 1 0.92 Threshold 0.91 ROC ----+---· 0.9 0 0.02 0.04 0.06 0.08 0.1 False Positive Rate FP%=0.3849% and TP%=96.8% 11/4/09 ONR MURI Review 14 ee

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services

Module 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Silberschatz and

714 views • 35 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

588 views • 20 slides
Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation Operating System

981 views • 39 slides
Module 3: Operating-System Structures System Components Operating-System Services

Module 3: Operating-System Structures System Components Operating-System Services

' $ Module 3: Operating-System Structures System Components Operating-System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation & %

589 views • 13 slides
System 1 vs. System 2 System 1 operates automatically and quickly, with little or no e fg ort

System 1 vs. System 2 System 1 operates automatically and quickly, with little or no e fg ort

System 1 vs. System 2 System 1 operates automatically and quickly, with little or no e fg ort and no sense of voluntary control. p.20 Operations of System 1 Detect that one object is more distant than another. Orient to the source

686 views • 46 slides
I/O System UNIX I/O System The I/O system communicates with the hardware at the There are two

I/O System UNIX I/O System The I/O system communicates with the hardware at the There are two

I/O System UNIX I/O System The I/O system communicates with the hardware at the There are two main categories of I/O units in UNIX, block lowest level. devices and character devices . The I/O system consists of: In addition there are sockets

100 views • 7 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

686 views • 41 slides
Reference management using Zotero System 1: Printout System 1: Status update System 2: PDFs in

Reference management using Zotero System 1: Printout System 1: Status update System 2: PDFs in

Reference management using Zotero System 1: Printout System 1: Status update System 2: PDFs in folders System 3: EndNote System 4: JabRef My requirements Free of cost Cross-platform Tagging w/ topics Opensource Taking

389 views • 10 slides
NERVOUS SYSTEM Nervous System Peripheral Nervous System Central Nervous System ( PNS ) ( CNS )

NERVOUS SYSTEM Nervous System Peripheral Nervous System Central Nervous System ( PNS ) ( CNS )

NERVOUS SYSTEM Nervous System Peripheral Nervous System Central Nervous System ( PNS ) ( CNS ) Efferent (Motor) Afferent (Sensor) Somatic Autonomic ( ANS ) Enteric Parasympathetic Sympathetic Autonomic nervous system ANS:

616 views • 33 slides
Cromemco r SYSTEM C(}FI aJRATI ~ 1S tmI AN CPERAT 1 NG SYSTEM 'NCLUDED AS A PART OF THE

Cromemco r SYSTEM C(}FI aJRATI ~ 1S tmI AN CPERAT 1 NG SYSTEM 'NCLUDED AS A PART OF THE

Cromemco r SYSTEM C(}FI aJRATI ~ 1S tmI AN CPERAT 1 NG SYSTEM 'NCLUDED AS A PART OF THE SYSTEM. 8 Cromemco' , \ , '. ' MINIMUM SYSTEM CONFIGURATION Z-88A SYSTEM - ZPU OR OPU PROCESSOR BOARD - 64KZ MEMORY Bo ARD . - 64FOC FLOPPY OISK

791 views • 45 slides
Fo-An-Di-Qz system 2. This is known as the simple Basalt system since this quaternary system

Fo-An-Di-Qz system 2. This is known as the simple Basalt system since this quaternary system

Fo-An-Di-Qz system 2. This is known as the simple Basalt system since this quaternary system represents a simplified representation of basalt compositions. All the key minerals are present (including En) and, while it is obviously a model

332 views • 4 slides
The tax system and redistribution Need to consider the system holistically In achieving the

The tax system and redistribution Need to consider the system holistically In achieving the

The tax system and redistribution Need to consider the system holistically In achieving the overall objectives of the tax system, it is important to consider all taxes (and transfer payments) together as a system; and at the same time being

343 views • 19 slides
Have you submitted your It is five oclock FP6 I T System proposal ? FP6 I T System

Have you submitted your It is five oclock FP6 I T System proposal ? FP6 I T System

FP6 I T System E LECTRONIC P ROPOSAL S UBMISSION S YSTEM Contact person: hubert-yves.van-delft@cec.eu.int 1 support@epss-fp6.org 2 Have you submitted your It is five oclock FP6 I T System proposal ? FP6 I T System PROPOSALS e

873 views • 59 slides
MT System Combination Silja Hildebrand MT System Combination System Combination in MT

MT System Combination Silja Hildebrand MT System Combination System Combination in MT

MT System Combination Silja Hildebrand MT System Combination System Combination in MT Methods of machine translation Rule based Statistical Hierarchical Syntax based Output is different Make use of the individual strengths of the

722 views • 70 slides
Cocoon Mothballing System CMS ( Cocoon Mothballing System ) What is Cocoon Mothballing System?

Cocoon Mothballing System CMS ( Cocoon Mothballing System ) What is Cocoon Mothballing System?

Introduction of Cocoon Mothballing System CMS ( Cocoon Mothballing System ) What is Cocoon Mothballing System? The Cocoon Mothballing System is ;- to protect machines and spares from moisture and dust by using weather-proof, tough, and

695 views • 30 slides
Computer System Administration Computer Center, CS, NCTU What System Administrator Should do? (1)

Computer System Administration Computer Center, CS, NCTU What System Administrator Should do? (1)

Computer System Administration Computer Center, CS, NCTU What System Administrator Should do? (1) Ordinary list Install new system, programs and OS updates Monitoring system and trying to Tune performance Adding and removing users

762 views • 22 slides
T-STEM Advisory Council Meeting Young Womens Leadership Academy at Arnold Welcome The

T-STEM Advisory Council Meeting Young Womens Leadership Academy at Arnold Welcome The

T-STEM Advisory Council Meeting Young Womens Leadership Academy at Arnold Welcome The Young Women's Leadership Academy will offer 6th-12th grade girls a dynamic learning experience that encourages Vision critical thinking, inspires

382 views • 20 slides
AP CAPSTONE PARENT PRESENTATION OCTOBER 26, 2017 SOCIAL SCIENCE RESEARCH A current elective

AP CAPSTONE PARENT PRESENTATION OCTOBER 26, 2017 SOCIAL SCIENCE RESEARCH A current elective

MANHASSET HIGH SCHOOL AP CAPSTONE PARENT PRESENTATION OCTOBER 26, 2017 SOCIAL SCIENCE RESEARCH A current elective program in Social Studies Consists of four courses--one full year introductory course, followed by 2 alternate- day full

281 views • 15 slides
State Compensatory THE SCE PROGRAM Programs and/or services designed to supplement the regular

State Compensatory THE SCE PROGRAM Programs and/or services designed to supplement the regular

INTENT AND PURPOSE OF State Compensatory THE SCE PROGRAM Programs and/or services designed to supplement the regular education program for identified at-risk students Education (SCE) The goal for SCE is to increase achievement and to reduce

414 views • 19 slides
Academic Summer School Parent Presentation June 19 July 14, 2017 Welcome to SUSDs Academic

Academic Summer School Parent Presentation June 19 July 14, 2017 Welcome to SUSDs Academic

Saratoga Union School District Academic Summer School Parent Presentation June 19 July 14, 2017 Welcome to SUSDs Academic Summer School! * Program Features * Curriculum & Assessments * English Learner Support * Locations * Schedule *

329 views • 14 slides
Hospital Metrics TAG November 10, 2015 Welcome and Introductions 2 Agenda Overview Updates

Hospital Metrics TAG November 10, 2015 Welcome and Introductions 2 Agenda Overview Updates

Hospital Metrics TAG November 10, 2015 Welcome and Introductions 2 Agenda Overview Updates Year 2 data submission timeline & draft checklist EDIE-sourced measure validation process Review draft PPR specifications Review

808 views • 55 slides
.VE Data Cleanup .VE Data Cleanup Oct 19th, 2015 Oct 19th, 2015 Eng. Rumary Ricaute Eng.

.VE Data Cleanup .VE Data Cleanup Oct 19th, 2015 Oct 19th, 2015 Eng. Rumary Ricaute Eng.

.VE Data Cleanup .VE Data Cleanup Oct 19th, 2015 Oct 19th, 2015 Eng. Rumary Ricaute Eng. Rumary Ricaute Topics Topics .ve Timeline. .ve Structure. Main Processes. Migration and Updates. Statistics. Results of effort.

260 views • 14 slides
BLOCK SCHEDULING PROPOSAL Presented to Board of Education October 4, 2018 Public Work Session

BLOCK SCHEDULING PROPOSAL Presented to Board of Education October 4, 2018 Public Work Session

Wayne Township Public Schools HIGH SCHOOL BLOCK SCHEDULING PROPOSAL Presented to Board of Education October 4, 2018 Public Work Session Why Block Scheduling? As a district, we are constantly reflecting on our practices with the goal of

701 views • 28 slides
Communication Goals Reassure parents and families that WS/FCS is well-prepared for a safe

Communication Goals Reassure parents and families that WS/FCS is well-prepared for a safe

Communication Goals Reassure parents and families that WS/FCS is well-prepared for a safe return to learning in the fall. Establish expectations of flexibility in order to ensure safety. Provide timely and accurate dissemination of

516 views • 19 slides

More recommend