Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain Reputation Hussien Othman.

Published byMarjory Porter Modified over 6 years ago

Similar presentations

Presentation on theme: "Domain Reputation Hussien Othman."— Presentation transcript:

1 Domain Reputation Hussien Othman

2 Problem Description Domains for malicious purposes:
Command and Control (C&C) Malware distribution Phishing More.. Malicious domains are essential to the success of nearly all popular attack vectors. Short lived domains. Static Black list based technologies cannot keep up with the volume of new domain names.. There is a need for a dynamic domain reputation systems!

3 Approaches Detect the evidence of malicious content/activities.
DNS Reputation. Predict malicious domains : Life cycle of malicious domains and re-use of valuable resources.

4 Detecting Malicious Domains via Graph Inference
Malware infection in enterprises is a big problem. Majority of the infections happen via malicious domains. Build a graph: Nodes are the domains and hosts. Add edge between host H to Domain D, if there is a transaction from H to D.

5

6

7 Evaluation

8 Low Degree false positive
Unknown domain detection

9 Problems? The detection happened AFTER the malicious domains are in use.

10 Notos A dynamic reputation system.
Goal: Assigning a low reputation score if a domain is involved in malicious activities, on the other hand , assigning a high reputation score if the domain is associated with legitimate Internet Services. Capturing characteristics of domains according to network and zone based statistical features.

11 Notation and Terminology
Resource Record (RR): Domain name and IP address 2LD and 3LD domain: for , 2LD is example.com and 3LD is Related Historic IPs (RHIPS) : All “routable” IPs that historically have been mapped with the domain name in the RR, or any domain name under the 2LD and 3LD. Related Historic Domains (RHDNs): All fully qualified domain names (FQDN) that historically ,have been linked with the IP in the RR, its corresponding CIDR and AS.

12 Notos - Big Picture

13 Main Feature Vectors

14 Features Network based features: Describe how the operators who own d and the IPs that domain d points to , allocate their network resources. BGP Features , 9 Features: distinct number of BGP prefixes, countries and organizations related to BGP(A(d)),distinct number of IP addresses, BGP prefixes and countries related BGP(A3LD(d)) and BGP(A2LD(d)). AS Features,3Features:distinct number of AS related to AS(A(d)) AS(A3LD(d)) and AS(A2LD(d)) Registration Features , 6 Features: distinct number of registrars in A(d)), A3LD(d)), A2LD(d)) and the diversity of registration dates in A(d)), A3LD(d)), A2LD(d)).

15 Zone based features: Measure the characteristics of domain names historically associated with d. The intuition is that malicious domain names related to the same spam campaign , for example, often look randomly generated and share few common characteristics. On the other hand , legitimate domain names usually have strong similarities. For example: google.com, googlewave.com , etc. String features , 12 features: distinct number of domain names, average and standard deviation of their lengths and the mean and median and standard deviation of the occurrence frequency of single character, 2 and 3 Ngrams. TLD Features , 5 features: distinct number of TLDs, ratio between .com to rest of TLDs and the mean and median and standard deviation of the occurrence frequency of TLD strings.

16 Evidence based features: To what extent a given domain is associated with other known malicious domain names or IP addresses.  Honeypot features , 3 features: distinct number of malware samples that, when executed, tried to connect to an IP address in A(d), BGP(A(d)), AS(A(d))  Blacklist features , 3 features: number of IPs listed on public blacklist in A(d), BGP(A(d)), AS(A(d)).

17 Network Profiling Module
This module first collects statistical data on major categories of domains as follows: 1. Popular domains (google,yahoo,facebook,..) 2. Common domains from top 100 alexa. 3. Akamai domains. 4.Contend Delivery network domains (CDN). Except Akamai. 5.Dynamic DNS domains. Notos trains 5 classifiers . Each classifier distinguish between one class from all others based on network based features. A new domain d is given a score by each one of these classifiers. The output is NM(d)=c1,c2,..,c5.

18 Two Clustering Steps First Level Clustering: Second Level Clustering:
Using Network Feature Vectors. Goal: Identify similarities in zones based on their network profile. Second Level Clustering: Using Zone Feature Vectors. Partition domain names within the same cluster (from the first level) based on their zone properties.

19

20 Notos

21

22 NOTOS detected new malicious domains!

23 NOTOS - Summary Uses only RR records.
Needs a lot of records to success in detecting a malicious domain. Cannot predict future malicious domain.

24 We Know It Before You Do: Predicting Malicious Domains
Many malicious domains are used for a very short period of time. Evading detection Low cost propose a system that predicts the domain names which are most likely (or about) to be used for malicious purposes. In this way, the predicted malicious domains can be blocked before or at the beginning of their being used for malicious purposes.

25 Life Cycle Of Malicious Domains

26 Life Cycle Of Malicious Domains – Contd.
The selection of domain names happens before registering the domain names. The registration of a domain name happens before the creation of DNS records for that domain name. Obtaining an IP address and using that address to set up a server also happens before DNS records are created, since the IP address is part of the DNS records. In a successful attack, the aforementioned actions all happen before the malicious domain is activated. The sequence of actions involved in activating a malicious domain, as well as the time interval between these actions, makes the prediction of malicious domains possible.

27 Re-use of valuable resources
Most of popular attacks success as depends on many resources. These resources are often purchased. Examples: domain names are registered or transferred for a price bullet-proof servers are available for rent large numbers of infected hosts are also available for rent. Some of the purchases are made through legitimate processes; others are made via illegal channels such as black markets, underground forums, etc. Many types of resources are made to be re-usable so that they can be resold multiple times to maximize financial gain. The re-use of resources across different attacks also presents opportunities to find connections between malicious domains.

28 Predicting Malicious Domains
Re-use of domains names: Time interval between previous and current use > 1 year. Score based on: TLD , changes in IP, price for domain transfer.

29 Patterns of DNS queries for malicious domains can be used in prediction.
Discovered several patterns in the DNS queries of a domain before the domain was used and/or detected as malicious. The patterns indicate different activities related to malicious domains, including preparing/testing the domain for malicious purposes.

30 Connections between malicious domains
Same Name Server Same IP address Same Registrant information Reasons: pseudo identity of an attacker, registered using same stolen credit cared, etc.

31 Detected and collected a list of name servers that provide DNS records for a number of domains, most if not all of which are malicious.

32 WHOIS information for malicious domains sometimes includes:
Same/similar fake registrant name, same , same registrant address, etc.

33 Evaluation Collected data over one month.
Data includes : Passive DNS records, WHOIS records, IP location database. Predicted 2172 domain names, 1793 are malicious – 83%.

34 Resources [1] Pratyusa K. Manadhata, Sandeep Yadav, Prasad Rao, William Horne: Detecting Malicious Domains via  Graph Inference.  Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop. [2] M. Antonakakis and R. Perdisc and D. Dagon and W. Lee and N. Feamster, "Building a Dynamic Reputation Model for DNS," in USENIX Security Symposium, 2010, pp [3] Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA: WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS [4] Shuang Hao, Nick Feamster, Monitoring the initial DNS behavior of malicious domains. Internet Measurement 278.

Download ppt "Domain Reputation Hussien Othman."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.

Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google