Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Published byOmari Curington Modified over 10 years ago

Similar presentations

Presentation on theme: "Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC."— Presentation transcript:

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC (Dec, 2009) 2010/3/21

2 Agenda Introduction Objective Detecting Malicious Flux Networks Experiments Conclusion 2010/3/22

3 Agenda Introduction Objective Detecting Malicious Flux Networks Experiments Conclusion At 2007 fast-flux domain names Malicious Fast-Flux Network 2010/3/23

4 Malicious flux service networks Be viewed as illegitimate content-delivery networks (CDNs) The nodes of a malicious flux service network is called flux agents Commonly used to host phishing websites, illegal adult content, or serve as malware propagation vectors 2010/3/24

5 Related Work Detecting fast-flux domain names Characterized fast flux domains and the details of the classification algorithms Limited to mainly studying fast-flux domains advertised through email spams 2010/3/25

6 Approach Novel and passive Monitor the DNS queries and responses from the users to the RDNS, and selectively store information about potential fast-flux domains into a central DNS data collector By deploying sensors in front of the recursive DNS (RDNS) ? 2010/3/26

7 Agenda Introduction Objective Detecting Malicious Flux Networks Experiments Conclusion  Focus on detecting malicious flux networks in- the-wild  Passive detection benefit the accuracy of spam filtering applications 2010/3/27

8 Agenda Introduction Objective Detecting Malicious Flux Networks Experiments Conclusion 2010/3/28

9 Characteristics of Flux Domain Names a)Short time-to-live (TTL) b)The set of resolved IPs (i.e., the flux agents) returned at each query changes rapidly, usually after every TTL c)The overall set of resolved IPs obtained by querying the same domain name over time is often very large d)The resolved IPs are scattered across many different networks 2010/3/29

10 Traffic Volume Reduction(F1)(1) q (d) = (t i, T (d),P (d) ) – DNS query performed by a user at time t i to resolve the set of IP addresses owned by domain name d T (d) – the time-to-live (TTL) of the DNS response P (d) – the set of resolved IPs returned by the RDNS server 2010/3/210

11 Traffic Volume Reduction(F1)(2) F1-a) seconds (i.e., 3 hours) F1-b) F1-c) Three Constraints in F1! 2010/3/211

12 Periodic List Pruning(F2)(1) Candidate flux domain name d – d = : the time when the last DNS query for d was observed : the total number of DNS queries related to d ever seen until : the maximum TTL ever observed for d : the cumulative set of all the resolved IPs ever seen for d until time : a sequence of pairs – where 2010/3/212

13 Periodic List Pruning(F2)(2) F2-a) 2010/3/213

14 Domain Clustering(1) A similarity (or proximity) matrix P = {s ij } i,j=1..n that consists of similarities s ij = sim(d i, d j ) – D = {d 1, d 2,..d n }, 2010/3/214

15 Domain Clustering(2) The hierarchical clustering algorithm takes P as input and produces in output a dendrogram, i.e., a tree-like data structure in which the leaves represent the original domains in D 2010/3/215

16 Service Classifier (1) Some features used to distinguish between malicious flux services and legitimate/non-flux services Both passive and active features – Passive: directly extracted from the information collected by passive monitoring the DNS queries Ex: Number of resolved IPs, – Active: need some external information to be computed Ex: Country code diversity, 2010/3/216

17 Service Classifier (2) Employ the popular C4.5 decision-tree classifier to automatically classify a cluster C i as either malicious flux service or legitimate/non-flux service 2010/3/217

18 Agenda Introduction Objective Detecting Malicious Flux Networks Experiments Conclusion 2010/3/218

19 Collecting Recursive DNS Traffic Two sensors in front of two different RDNS servers of large north American ISP Between March 1 and April 14, 2009 More than 4 million users Monitor 2.5 billion DNS queries per day Set the epoch E to be one day 2010/3/219

20 Clustering Candidate Flux Domains(1) Apply a single-linkage hierarchical clustering algorithm to group together domains that belong to the same network Need 30 ~ 40 minutes per day and per sensor Obtained 4000 domain clusters per day 2010/3/220

21 Clustering Candidate Flux Domains(2) Manually verified the quality of the results for a subset of the clusters obtained every day With the help of a graphical interface Ex: – NTP server pool in Europe, North America, Oceania, etc 2010/3/221

22 Evaluation of the Service Classifier(1) Statistical supervised learning approach Label the cluster domains, – according to network prefix diversity, – cumulative number of distinct resolved IPs, – the IP growth ratio,, etc. 2010/3/222

23 Evaluation of the Service Classifier(2) : Avg. TTL per domain : Number of domains per network : IP Growth Ratio Classify between malicious flux network and non malicious flux network Classify between malicious flux network and non malicious flux network 2010/3/223

24 Can this Contribute to Spam Filtering?(1) Check the intersection between domain name set from spam emails and domains from the malicious flux networks identified by the detection system 2010/3/224

25 Can this Contribute to Spam Filtering?(2) 2010/3/225

26 Agenda Introduction Objective Detecting Malicious Flux Networks Experiments Conclusion 2010/3/226

27 Conslusion The detection system is based on passive analysis of recursive DNS (RDNS) traffic traces Not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists Benefit spam filtering applications 2010/3/227

Download ppt "Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC."

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Paper Reading: Reporter: Shao-Yu Peng( 彭少瑜 ) Date: 2013/10/28.

Paper Reading: Reporter: Shao-Yu Peng( 彭少瑜 ) Date: 2013/10/28.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
Hongyu Gao, Tuo Huang, Jun Hu, Jingnan Wang.  Boyd et al. Social Network Sites: Definition, History, and Scholarship. Journal of Computer-Mediated Communication,

Hongyu Gao, Tuo Huang, Jun Hu, Jingnan Wang.  Boyd et al. Social Network Sites: Definition, History, and Scholarship. Journal of Computer-Mediated Communication,
Accelerometer-based Transportation Mode Detection on Smartphones

Accelerometer-based Transportation Mode Detection on Smartphones
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Three kinds of learning

Three kinds of learning
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Automatic Blog Monitoring and Summarization Ka Cheung “Richard” Sia PhD Prospectus.

Automatic Blog Monitoring and Summarization Ka Cheung “Richard” Sia PhD Prospectus.

Similar presentations

Ads by Google