dnssm a large scale passive dns security monitoring
play

DNSSM: A Large Scale Passive DNS Security Monitoring Framework - PowerPoint PPT Presentation

Jan 05, 2023 •37 likes •217 views

samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J er ome Fran cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor Motivation Solution

  1. samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J´ erˆ ome Fran¸ cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor

  2. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 2 / 18

  3. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 3 / 18

  4. Motivation Solution Experiments and Results Conclusion Overview of DNS ◮ DNS (Domain Name System) is the service that maps a domain name to its associated IP addresses www.example.com = ⇒ 123.45.6.78 ◮ DNS is the service that allows to find information about a domain : ◮ A : IPv4 address ◮ AAAA : IPv6 address ◮ MX : Mail server ◮ NS : Authoritative DNS server ◮ TXT : any information 4 / 18

  5. Motivation Solution Experiments and Results Conclusion Why DNS monitoring ? ◮ DNS: ◮ critical Internet service ◮ threats: cache poisoning, typosquatting, DNS tunnelling, fast/double-flux ⇒ enhance: phishing, botnet C&C communications, covered channel communications etc. ⇒ Patterns in DNS packet fields and DNS querying behavior ◮ Passive DNS monitoring to detect: ◮ worm infected hosts ◮ malicious backdoor communication ◮ botnet participating hosts ◮ phishing websites hosting 5 / 18

  6. Motivation Solution Experiments and Results Conclusion Existing solutions ◮ Mainly use supervised classification techniques ◮ SVM, tree, rules, etc. ◮ require malicious data for training ◮ Targeted identification of malicious domains ◮ C&C communication involved domains ◮ Phishing domains ◮ Spamming domains ◮ etc. 6 / 18

  7. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 7 / 18

  8. Motivation Solution Experiments and Results Conclusion Clustering Automated clustering technique for online analysis ◮ No previous knowledge ◮ Group domains regarding their activity ◮ DNS information ⇒ Domain activity ◮ Disclose the raise of new threats ◮ K-means clustering ◮ 10 relevant features 8 / 18

  9. Motivation Solution Experiments and Results Conclusion Features For each domain observed: ◮ Number of IP addresses ◮ IP scattering : entropy based and position weighted ◮ mean TTL ◮ Requests count ◮ Period of observation ◮ Requests per hour ◮ Name servers count ◮ Number of subdomains ◮ Blacklisted flag 9 / 18

  10. Motivation Solution Experiments and Results Conclusion User interface DNSSM is an approach for automated analysis of DNS (passive traffic) ◮ Manual assistance in tracking anomalies: ◮ Feed with cap file ◮ All DNS packet fields extracted ◮ MySQL database storage model ◮ Web interface ◮ Fast and efficient mining functions ◮ Integrates with existing blacklist tools to assist in tagging data ◮ Detection of fast/double flux domains, DNS tunnelling, etc. ◮ Freely downloadable at: https://gforge.inria.fr/\docman/view.php/3526/ 7602/kit_dns_anomalies.tar.gz 10 / 18

  11. Motivation Solution Experiments and Results Conclusion Architecture 11 / 18

  12. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 12 / 18

  13. Motivation Solution Experiments and Results Conclusion Experiments ◮ 2 datasets ( � = location, � = type of network, � = users, � = quantity) ◮ Automatic results from k-means: 8 clusters exhibiting different properties ◮ Cluster 5: apple.com, amazon.fr, adobe.com(highly popular websites) 13 / 18

  14. Motivation Solution Experiments and Results Conclusion Results ◮ Cluster 6: google.com. skype.com, facebook.com (higly popular web sites) ◮ Cluster 7: tradedoubler.com, doubleclick.net, quantcast.com (user tracking) ◮ Cluster 3: akamai, cloudfront.net (CDN) 14 / 18

  15. Motivation Solution Experiments and Results Conclusion Results ◮ Cluster 0: small websites with low popularity 15 / 18

  16. Motivation Solution Experiments and Results Conclusion Outline 1 Motivation 2 Solution 3 Experiments and Results 4 Conclusion 16 / 18

  17. Motivation Solution Experiments and Results Conclusion Conclusion ◮ Passive DNS monitoring solution ◮ Analysis of domain names activity ◮ Relevant data mining algorithm (unsupervised clustering techniques) ◮ Efficiency proved on two different datasets ◮ Freely downloadable interface ◮ Applications: ◮ Investigate cyber security fraud ◮ Debug DNS deployment ◮ Penetration testing 17 / 18

  18. samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J´ erˆ ome Fran¸ cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor

Recommend

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M unchen June

594 views • 17 slides
Supporting decision making in security forces command center at large-scale events via

Supporting decision making in security forces command center at large-scale events via

Supporting decision making in security forces command center at large-scale events via video-based situation monitoring and base data supply Armin Kfler 1 , Viktoria Pammer-Schindler 2 , Alexander Almer 1 , Thomas Schnabel 1 1 JOANNEUM

439 views • 42 slides
Large scale retrofit of the UK in 10 years? Aneaka Kellay, Carbon Co-op Credit: Passive House Plus

Large scale retrofit of the UK in 10 years? Aneaka Kellay, Carbon Co-op Credit: Passive House Plus

Large scale retrofit of the UK in 10 years? Aneaka Kellay, Carbon Co-op Credit: Passive House Plus Magazine, https://passivehouseplus.ie/news/health/disastrous-preston-retrofit-scheme-remains-unresolved EWI was meant to increase the value of

296 views • 8 slides
Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in Production Julien Desfossez Michel Dagenais Dcembre 2014 cole Polytechnique de Montreal Latency-tracker Kernel module to track down

524 views • 17 slides
Large-scale performance monitoring framework for cloud monitoring Live Trace Reading and

Large-scale performance monitoring framework for cloud monitoring Live Trace Reading and

Large-scale performance monitoring framework for cloud monitoring Live Trace Reading and Processing Julien Desfossez Michel Dagenais May 2014 cole Polytechnique de Montreal Live Trace Reading Read the trace while it is being recorded

357 views • 35 slides
Optimizing Sensor Deployment and Maintenance Costs for Large-Scale Environmental Monitoring

Optimizing Sensor Deployment and Maintenance Costs for Large-Scale Environmental Monitoring

Optimizing Sensor Deployment and Maintenance Costs for Large-Scale Environmental Monitoring Xiaofan Yu 1 , Kazim Ergun 1 , Ludmila Cherkasova 2 , Tajana imuni Rosing 1 1 University of California San Diego 2 Arm Research System Energy

325 views • 21 slides
Efficient and Large-Scale Infrastructure Monitoring with Tracing Julien.desfossez@ ef cios.com

Efficient and Large-Scale Infrastructure Monitoring with Tracing Julien.desfossez@ ef cios.com

CloudOpen Europe 2013 Efficient and Large-Scale Infrastructure Monitoring with Tracing Julien.desfossez@ ef cios.com 1 Content Overview of tracing and LTTng LTTng features for Cloud Providers LTTng as a monitoring tool

705 views • 25 slides
Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi

Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi

Toward S Scalable M Monitoring on L Large-Sc Scale e Storage for S Softw tware D Defi fined Cyb yberinfrastr tructu ture Arnab K. Paul , Ryan Chard , Kyle Chard , Steven Tuecke , Ali R. Butt , Ian Foster

582 views • 24 slides
SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husk Petr Velan Jan Vykopal Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic:

500 views • 17 slides
Monitoring and modeling the field-level crop productivity and water uses for large-scale

Monitoring and modeling the field-level crop productivity and water uses for large-scale

Monitoring and modeling the field-level crop productivity and water uses for large-scale applications Dr. Kaiyu Guan (kaiyug@Illinois.edu) Assistant professor, Dept. of Nature Resources and Environmental Sciences Blue Waters Professor, National

400 views • 11 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS

Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS

Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS 2010 - 23.06.2010 Monitoring Goals Analysis of LAN and WAN Traffic Unaggregated raw data storage for the near past (-3 days) and long-term

612 views • 58 slides
A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

1.03k views • 72 slides
Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam

Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam

Monitoring, modelling and managing land use change on a large scale Hermann Lotze-Campen Potsdam Institute for Climate Impact Research (PIK) ALTER-Net Summer School, Peyresq, 07 Sep 2008 What makes God laugh? Tell him about your future

353 views • 21 slides
Large-scale performance monitoring framework Julien Desfossez Michel Dagenais May 2013 cole

Large-scale performance monitoring framework Julien Desfossez Michel Dagenais May 2013 cole

Large-scale performance monitoring framework Julien Desfossez Michel Dagenais May 2013 cole Polytechnique de Montreal Summary Introduction Research question Objectives Litterature review Detailled objectives Future

570 views • 28 slides
LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb

LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb

LOBSTER Large-Scale Monitoring of Broadband Internet Infrastructure Arne sleb arneos@uninett.no UNINETT Evangelos Markatos & Panos Trimintzios markatos@ics.forth.gr ptrim@ics.forth.gr FORTH Broadband Europe 8-10 December, Brugge

97 views • 8 slides
Passive Treatment of Mining Influenced Water: From Bench Scale to O & M From Bench Scale to O

Passive Treatment of Mining Influenced Water: From Bench Scale to O & M From Bench Scale to O

Passive Treatment of Mining Influenced Water: From Bench Scale to O & M From Bench Scale to O & M BIOCHEMICAL REACTOR CONSTRUCTION, MINE POOL CHEMISTRY CHANGES, & O & M , GOLINSKY MINE, CALIFORNIA Jim Gusek, Sovereign

740 views • 59 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

712 views • 22 slides
Monitoring Tools for Large Scale Systems Presented by David Dillow Ross Miller, Jason Hill,

Monitoring Tools for Large Scale Systems Presented by David Dillow Ross Miller, Jason Hill,

Monitoring Tools for Large Scale Systems Presented by David Dillow Ross Miller, Jason Hill, David Dillow, Raghul Gunasekaran, Galen Shipman, Don Maxwell 1 Brief overview of Spider 10 PB storage to users 244 GB/s demonstrated bandwidth

458 views • 16 slides
A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien Francillon, and Davide Balzaro:, Eurecom h;ps://www.usenix.org/conference/usenixsecurity14/technical-sessions/presenta+on/ cos+n Saeid Mofrad

1.14k views • 22 slides
Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott

Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott

Navigating the Pitfalls and Promises of Network Security Monitoring (NSM) Who are we? Dr. Scott Miserendino Michael Gora Chief Data Scientist System Architect Cyber Security Start-Up Started in 2013 Born out of a large defense

342 views • 19 slides
A Distributed Approach to Large Scale Security Constrained Unit Commitment Problem Kaan Egilmez

A Distributed Approach to Large Scale Security Constrained Unit Commitment Problem Kaan Egilmez

A Distributed Approach to Large Scale Security Constrained Unit Commitment Problem Kaan Egilmez Cambridge Energy Solutions FERC Technical Conference on Increasing Real-Time and Day-Ahead Market Efficiency through Improved Software June

381 views • 24 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides

More recommend