Presentation is loading. Please wait.

Presentation is loading. Please wait.

In the search of resolvers

Published byBrittany Garrett Modified over 6 years ago

Similar presentations

Presentation on theme: "In the search of resolvers"— Presentation transcript:

1 In the search of resolvers
Jing Qiao 乔婧, Sebastian Castro – NZRS DNS-OARC 25, Dallas

2 Background Domain Popularity Ranking
Derive Domain Popularity by mining DNS data Noisy nature of DNS data Certain source addresses represent resolvers, the rest a variety of behavior Can we pinpoint the resolvers? DNS-OARC 25 Oct 2016

3 Noisy DNS Long tail of addresses sending a few queries on a given day
DNS-OARC 25 Oct 2016

4 Data Collection To identify resolvers, we need some data
Base curated data 836 known resolvers addresses Local ISPs, Google DNS, OpenDNS 276 known non-resolvers addresses Monitoring addresses from ICANN Asking for Addresses sending only NS queries DNS-OARC 25 Oct 2016

5 Exploratory Analysis Do all resolvers behave in a similar way
resolvers-from-our-point-of-view-2/ Conclusions There are some patterns Primary/secondary address Validating resolvers Resolvers in front of mail servers DNS-OARC 25 Oct 2016

6 Supervised classifier
Can we predict if a source address is a resolver? 14 features per day per address Fraction of A, AAAA, MX, TXT, SPF, DS, DNSKEY, NS, SRV, SOA Fraction of NoError and NxDomain responses Fraction of CD and RD queries Training data Extract 1 day of DNS traffic (653,232 unique source addresses) Base data DNS-OARC 25 Oct 2016

7 Training Model LinearSVC
__________________________________________________________________________ Training: LinearSVC(C=1.0, class_weight='balanced', dual=True, fit_intercept=True, intercept_scaling=1, loss='squared_hinge', max_iter=1000, multi_class='ovr', penalty='l2', random_state=None, tol=0.0001, verbose=0) train time: 0.003s Cross-validating: Accuracy: 1.00 (+/- 0.00) CV time: 0.056s test time: s accuracy: dimensionality: 14 density: classification report: precision recall f1-score support avg / total DNS-OARC 25 Oct 2016

8 Other Learning Algorithms
For the classification problem with less than 100K samples, LinearSVC is the first choice We also benchmarked some other algorithms such as K-Neighbors and Random Forest. All of them achieved 100% accuracy DNS-OARC 25 Oct 2016

9 Test the model Apply the model to three different days
Resolver is represented as 1, and non-resolver as 0. df = predict_result(model, " ") df.isresolver_predict.value_counts() df = predict_result(model," ") df = predict_result(model," ") DNS-OARC 25 Oct 2016

10 Preliminary Analysis Most of the addresses classified as resolvers
Possibly because the list of non-resolvers show a very specific behaviour Model fitting specific behaviour, leaving any other address as resolver. The next iteration of this work should to improve the training data to include different patterns. DNS-OARC 25 Oct 2016

11 Unsupervised classifier
What if we let a classifier to learn the structure instead of imposing The same 14 features, 1 day’s DNS traffic Ignore clients that send less than 10 queries Reduce the noise Run K-Means Algorithm with K=6 Inspired by Verisign work from 2013 Calculate the percentage of clients distributed across clusters DNS-OARC 25 Oct 2016

12 K-Means Cost Curve DNS-OARC 25 Oct 2016

13 Query Type Profile per cluster
DNS-OARC 25 Oct 2016

14 Rcode profile per cluster
DNS-OARC 25 Oct 2016

15 Flag profile per cluster
DNS-OARC 25 Oct 2016

16 Clustering accuracy How many known resolvers fall in the same cluster?
How many known non- resolvers? Tested on both week day and weekend, 98% ~ 99% known resolvers fit in the same cluster DNS-OARC 25 Oct 2016

17 Client persistence Another differentiating factor could be client persistence Within a 10-day rolling window, count the addresses seen on specific number of days Addresses sending traffic all the time will fit into known resolvers and monitoring roles DNS-OARC 25 Oct 2016

18 Client Persistence DNS-OARC 25 Oct 2016

19 Resolvers persistence
Do the known resolvers addresses fall into the hypothesis of persistence? What if we check their presence in different levels? DNS-OARC 25 Oct 2016

20 Resolvers persistence
DNS-OARC 25 Oct 2016

21 Future work Identify unknown resolvers by checking membership to the “resolver like” cluster Exchange information with other operators about known resolvers. Potential uses: curated list of addresses, white listing, others. DNS-OARC 25 Oct 2016

22 Conclusions This analysis can be repeated to other ccTLDs
Using open source tools Code analysis will be made available Easily adaptable to use ENTRADA DNS-OARC 25 Oct 2016

23 jing@nzrs.net.nz, sebastian@nzrs.net.nz
DNS-OARC 25 Oct 2016

Download ppt "In the search of resolvers"

Similar presentations

Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)

Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)
Mustafa Cayci INFS 795 An Evaluation on Feature Selection for Text Clustering.

Mustafa Cayci INFS 795 An Evaluation on Feature Selection for Text Clustering.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
What is Statistical Modeling

What is Statistical Modeling
WebMiningResearch ASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007.

WebMiningResearch ASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Three kinds of learning

Three kinds of learning
WebMiningResearchASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007 Revised.

WebMiningResearchASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007 Revised.
Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.

Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.
ML ALGORITHMS. Algorithm Types Classification (supervised) Given -> A set of classified examples “instances” Produce -> A way of classifying new examples.

ML ALGORITHMS. Algorithm Types Classification (supervised) Given -> A set of classified examples “instances” Produce -> A way of classifying new examples.
1 A Survey of Affect Recognition Methods: Audio, Visual, and Spontaneous Expressions Zhihong Zeng, Maja Pantic, Glenn I. Roisman, Thomas S. Huang Reported.

1 A Survey of Affect Recognition Methods: Audio, Visual, and Spontaneous Expressions Zhihong Zeng, Maja Pantic, Glenn I. Roisman, Thomas S. Huang Reported.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Data Mining: A Closer Look

Data Mining: A Closer Look
Team HauntQuant October 25th, 2013

Team HauntQuant October 25th, 2013
STUDENTLIFE PREDICTIVE MODELING Hongyu Chen Jing Li Mubing Li CS69/169 Mobile Health March 2015.

STUDENTLIFE PREDICTIVE MODELING Hongyu Chen Jing Li Mubing Li CS69/169 Mobile Health March 2015.
Big data analytics with R and Hadoop Chapter 5 Learning Data Analytics with R and Hadoop 데이터마이닝연구실 2015.04.23 김지연.

Big data analytics with R and Hadoop Chapter 5 Learning Data Analytics with R and Hadoop 데이터마이닝연구실 김지연.
Introduction The large amount of traffic nowadays in Internet comes from social video streams. Internet Service Providers can significantly enhance local.

Introduction The large amount of traffic nowadays in Internet comes from social video streams. Internet Service Providers can significantly enhance local.
1 Template-Based Classification Method for Chinese Character Recognition Presenter: Tienwei Tsai Department of Informaiton Management, Chihlee Institute.

1 Template-Based Classification Method for Chinese Character Recognition Presenter: Tienwei Tsai Department of Informaiton Management, Chihlee Institute.

Similar presentations

Ads by Google