Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

Similar presentations


Presentation on theme: "1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29."— Presentation transcript:

1 1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29

2 2 Reference  Roberto Perdisci, Igino Corona, David Dagon, and Wenke Lee. " Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces."ACSAC'09

3 3 Outline  Introduction  System Architecture  Experiments  Conclusions

4 4 Introduction  Fast-flux service networks(FFSNs) a new ( ~2007) technique to maximize botnets availability simple idea: add an additional indirection layer (i.e., proxy) between victims and controlling elements a large number of proxy hosts (flux agent) are used to relay requests to the back-end server (mother- ship) a decentralized botnet with constantly changing public DNS records

5 5 Fast-flux botnets Architecture

6 6 Characteristics of Flux Domain Names  Short time-to-live (TTL)  The set of resolved IPs returned at each query changes rapidly  The overall set of resolved IPs obtained by querying the same domain name over time is often very large  The resolved IPs are scattered across many different networks

7 7 Approach Passive analysis of recursive DNS  Not only email spam and precompiled domain blacklists  Active probing may be detected by the attacker Classify domains  previous works, single domain names are considered independently from each other

8 8 System Overview

9 9 Notation  q (d) : a DNS query performed by a user at time t i to resolve the set of IP addresses owned by domain name d  Q (d) i : the total number of DNS queries related to d ever seen until t i  T (d) : the TTL of the DNS response  Ť (d) i : the maximum TTL ever observed for d  P (d) : the set of resolved Ips returned by the RDNS server  prefix(P (d), 16) : the set of distinct /16 network prefixes extracted from P (d)  R (d) i : the cumulative set of all the resolved IPs ever seen for d until time t i  G (d) i : a sequence of pairs {(t j, r (d) j )} j=1..i where r (d) j = |R (d) j | − | R (d) j −1|

10 10 Traffic Volume Reduction (F1)  q (d) = (t i, T (d), P (d) )  F1-a) T (d) <= 10800 seconds (i.e., 3 hours) Because such domain names ( TTL >= 10800) are unlikely to be “fluxing”  F1-b) |P (d) | >= 3 OR T (d) <= 30 Because the uptime of each flux agent is not easily predictable  A large set of resolved IPs, or  A very low TTL ( equal or close to zero )  F1-c) p = |prefix(P (d),16)| / |P (d) | >= 1/3 Flux agents are often across many different networks and organizations

11 11 Periodic List Pruning (F2)  d = (t i, Q (d) i, Ť (d) i, R (d) i, G (d) i )  F2-a) Q i > 100 AND |G (d) i | < 3 AND ( |R (d) i | <= 5 OR p <= 0.5 ), remove from a list of candidate flux domains domain names that do not pass F2 are very unlikely to be related to flux services

12 12 Domain Clustering  IP-based Domain Clustering a number of fast-flux domain names all point to the same flux service  single-linkage hierarchical clustering algorithm Input: a similarity matrix; Output: a dendrogram The length of the edges represent the distance between clusters

13 13 Service Classifier  “Passive” feature -- collected by passively monitoring the DNS queries Ψ1-Number of resolved IPs Ψ2-Number of domains Ψ3-Avg. TTL per domain Ψ4-Network prefix diversity  the ratio between the number of distinct /16 network prefixes and the total number of IPs Ψ5-Number of domains per network  how many domains can be associated to the IPs in a cluster, throughout different epochs Ψ6-IP Growth Ratio 

14 14 Service Classifier  “Active” feature -- need some additional external information to be computed Ψ7-Autonomous System (AS) diversity Ψ8-BGP prefix diversity Ψ9-Organization diversity Ψ10-Country Code diversity Ψ11-Dynamic IP ratio  a reverse (type PTR) DNS lookup for each IP,“dhcp”, “dsl”, “dial-up”, etc., Ψ12-Average Uptime Index  actively probing each IP in a cluster about six times a day for a predefined number of days  C4.5 decision-tree classifier

15 15 Collecting RDNS Traffic  2009/3/1 ~2009/4/14  two traffic sensors in front of two different RDNS servers of ISP  more than 4 million users  about 1.3 billion DNS queries of type A and CNAME per sensor  over 2.5 billion DNS queries per day related to hundreds of millions of distinct domain names

16 16 Evaluation of the Service Classifier  we manually inspected and labeled a fairly large number of clusters of domains AUCDRFP All Features0.992 (0.003)99.7% (0.36)0.3% (0.36) Passive Features0.993 (0.005)99.4% (0.53)0.6% (0.53) Ψ6, Ψ3, Ψ50.989 (0.006)99.3% (0.49)0.7% (0.49) Table I: Classification performance computed using 5-fold cross-validation. AUC=Area Under the ROC Curve; DR=Detection Rate; FP=False Positive Rate. The numbers between parenthesis represent the standard deviation of each measure.

17 17 Can this Contribute to Spam Filtering?  Intuition if the domain name of the website points to one or more previously detected flux agents, it is very likely that the website is malicious

18 18  Detection rate: 90% to 95%  that several of the domain names detected as malicious did not appear to have a “fluxing” behavior themselves, but resolved to a flxed set of IP that partially intersected with the IP of flux agents

19 19 Conclusions  passive approach for detecting malicious flux service networks in-the-wild Not limited to the analysis of suspicious domain names extracted from spam emails or precompiled domain blacklists  Our passive detection and tracking of malicious flux service networks may benefit spam filtering applications


Download ppt "1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29."

Similar presentations


Ads by Google