grandma has a problem
play

Grandma has a problem An email or web banner offered her a free - PowerPoint PPT Presentation

Nov 24, 2023 •211 likes •937 views

Internet Special Ops Stalking Badness Through Data Mining Paul Vixie Andrew Fried Dr. Chris Lee Grandma has a problem An email or web banner offered her a free demo of the game Bejeweled 3D She clicked yes to download a

  1. Internet Special Ops Stalking Badness Through Data Mining Paul Vixie Andrew Fried Dr. Chris Lee

  2. Grandma has a problem  An email or web banner offered her a free demo of the game Bejeweled 3D  She clicked “yes” to download a program.  New unrecognized malware?  Anti-virus out of date or otherwise not effective?

  3. Her PC is 0wned  An error message is displayed. Oh well.  Unknowing, she goes back to playing Bejeweled 2.  PC is now under control of someone else.  All she notices that its sluggish or slower than normal, but still usable.

  4. What data can be collected Toolbar in her browser logged a query to the download site  Toolbar maintainers notice thousands of others have made similar  visits today where none made before and log it. AV software logged the download and unsuccessful match against  known malware AV maintainers see several similar downloads across user base base  on signature. Browser performed a DNS query to lookup website  ISP recursive server logs and shares Passive DNS information  Other ISPs see the same 

  5. What data can be collected  Her PC started talking with C&C server on a high TCP port  ISP captured and shared netflow data for her sessions  DHCP logs track her PC's IP to her access device  The next day, her PC starts sending out SPAM  IP address is different, but ISP tracks IP via DHCP logs to same access device  Recursive nameserver at ISP sees unusually high number of MX lookups from her IP.  Noted traffic flow on port 25 outbound has increased.  DNSBL sites start seeing manymore lookup requests based on her IP

  6. What data can be collected  More spam is sent  A spamtrap picks up a few of the messages sent by her PC  People using webmail started marking the messages as spam  URLs from the spam messages were submitted to SURBL  Similar emails are logged at mail service providers coming from lots of other IPs.  People started submitting messages to spamcop

  7. What data can be collected  Her PC starts probing nearby and remote networks for an attack vector  ISP netflow logs attempt to talk to bogus IPs  Darknet sensors pick up connection attempts  A military firewall gateway picks up connection attempts  A corporate firewall vendor sees logs from several customers' installations of probes from common sources.  Her PC successfully attacks an unpatched honeypot at a University research center.

  8. What data can be collected  Meanwhile, a day earlier, domains were registered at a registrar for a Pacific island.  All were registered at the same time  All have bogus registration information for an address between two casinos in Las Vegas  The domains were all purchased using the same credit card that had not yet been reported stolen – no chargebacks yet.  Malware links in spams use URLs in these domains.  Registrar logged CAPTCHA access during registration came from VPN service hosted in ex-Soviet republic.

  9. What data can be collected  The VPN service is hosted at an ISP in the same BGP AS number of some of the C&C servers.  Passive DNS collected from ISPs see other suspect domains (randomly created or containing known phishing keywords) on nearby IP addresses.  Web crawlers identify a similar header signature used on webservers hosted on several of the neighboring IPs.  Web crawlers found malware and phishing kits on some of the neighboring servers.

  10. Do we collect it? Do we share it?  Ideally: Security data is collected and either shared or made readily accessible in a trusted community in real time.  Today: Security data is mostly discarded or at least not shared in a common framework.

  11. Challenges  Miscreants operate behind the scenes on stolen or leased resources. They only need to organize within infrastructure for a short period of time to be effective.  Unlike ISPs or user populations, they have nothing real to defend.  Time window between allocation of resources and attack is shrinking.  Asking peers on a security mailing list for information can take too long to be effective.

  12. Disparate data types

  13. Bi-lateral information flows

  14. ISC SIE – enabling data mining

  15. Internet Special Ops Stalking Badness Through Data Mining Data mining is the process of extracting hidden patterns from data -- Wikipedia

  16. Internet Special Ops Stalking Badness Through Data Mining Finding a “target” on the Internet requires the collection and analysis of unprecedented amounts of data from a variety of sources throughout the world

  17. Internet Special Ops Stalking Badness Through Data Mining Data Mining • Identification • Collection • Normalization • Reduction • Add Derivative Data • Analysis • Putting the pieces together

  18. Internet Special Ops Stalking Badness Through Data Mining Example Data Sources • Passive DNS – 12,000 per second • Spamtrap Data – 3,500 per second • Domain Registrations – 450,000 per day • Tracking Nameservers – 2,600,000 per day • BGP/ASN Data – 288,000 ASNs • Malware Samples (unfortunately, a LOT!) • Conficker Infected Hosts – over 5 million

  19. Internet Special Ops Stalking Badness Through Data Mining The goal of data mining

  20. Internet Special Ops Stalking Badness Through Data Mining The tools of the “trade” • Bandwidth • Storage • Fast servers + RAM • Databases • Intuition & Ingenuity

  21. Internet Special Ops Stalking Badness Through Data Mining Data Normalization • Standard format • Common fields • “Relational Characteristics” • Compatible with database

  22. Internet Special Ops Stalking Badness Through Data Mining Data Reduction • Pruning Data • Packing data (Integer vs IP) • Summarization Tables

  23. Internet Special Ops Stalking Badness Through Data Mining Derivative Data Developing new datasets through relational characteristics of your original and possibly disparate processed data Produces “3D” views of your data Very effective method for trend analysis with relational databases

  24. Internet Special Ops Stalking Badness Through Data Mining DNS is the central nervous system of the Internet. Virtually all analysis of events on the Internet begin with DNS records, or more specifically, IP addresses. By themselves, an IP address identifies a single host. But what else can we learn from a lowly IP address?

  25. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses First, we can attempt to find the reverse arpa (PTR) records for a given IP address. That often tells us the domain name of the host.

  26. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses Next, we can identify who “owns” that IP address (registered netblock owner).

  27. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses In order to reach an address on the Internet, routers need to know how to route traffic to the subnet containing that address. BGP routing tables can provide us with that answer, providing both the ASN number and other netblocks served from the same ASN.

  28. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses GeoIP databases can assist us in determining the geographic location of the host. Data can include country, city and state and even latitude and longitude coordinates that can be used in distance calculations.

  29. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses IP addresses can also be associated to fully qualified domain names and authoritative nameservers through passive DNS (assuming PTR records are inaccurate or unavailable).

  30. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses Using a combination of both active and passive DNS, we can determine if an IP addresses appears in more than one published DNS resource record.

  31. Internet Special Ops Stalking Badness Through Data Mining Enumerating IP addresses Using SPAM trap data, we can determine if the IP address and enumerated domain name is appearing in SPAM and if the netblock appears in RBLs.

  32. Internet Special Ops Stalking Badness Through Data Mining Tying the IP Pieces Together DNS PTR records Netblock owner via RIR records ASN via BGP data Location via GeoIP FQDN via active and passive DNS Authoritative nameserver(s) through enumeration Appearance of domain in SPAM & RBLs

  33. Internet Special Ops Stalking Badness Through Data Mining What kind of questions can we NOW ask of the data? How many spam messages originate from a particular ASN? What percentage of domains on a given nameserver are RBL’ed? How many domains resolve back to a single IP address? How many infected machines are located in { $country } ? How many nameservers are hosted on a given IP address? What domains is a given nameserver authoritative for?

  34. Internet Special Ops Stalking Badness Through Data Mining How can we Use Passive DNS to Identify Fast Flux Botnets?

  35. Internet Special Ops Stalking Badness Through Data Mining How can we Use Passive DNS to Identify Fast Flux Botnets? Multiple IP addresses / low TTLs Generally hosted on compromised boxes Geographically dispersed Newly registered domain names

Recommend

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Coffee with the Counselors Great Grandma

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Coffee with the Counselors Great Grandma

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Coffee with the Counselors Great Grandma Grabner Benld, IL 1956 Substance Abuse Prevention Substance Abuse is an on-going problem among middle school aged students. Join a professional in

320 views • 21 slides
Small Number is a 5 year-old boy who gets into a lot of mischief. He lives with his Grandma and

Small Number is a 5 year-old boy who gets into a lot of mischief. He lives with his Grandma and

Small Number is a 5 year-old boy who gets into a lot of mischief. He lives with his Grandma and Grandpa, who patiently put up with his antics, in a small settlement with 7 tipis arranged in a circle. Ama sahkomapii anista Poksskaaksini.

284 views • 12 slides
Top 10 Cancer Causing Foods You 60 Year Old Grandma Looks 30 Eat Every Day Lifefactopia Please

Top 10 Cancer Causing Foods You 60 Year Old Grandma Looks 30 Eat Every Day Lifefactopia Please

Naturalon Her Life & Beauty Top 10 Cancer Causing Foods You 60 Year Old Grandma Looks 30 Eat Every Day Lifefactopia Please Don't Pay Full Price for Must Wrinkle Free Face The Best Way To Remove Eye Bags Have Michael Kors Bags. Here's

238 views • 6 slides
Small Number is a 5 year-old boy who gets into a lot of mischief. He lives with his Grandma and

Small Number is a 5 year-old boy who gets into a lot of mischief. He lives with his Grandma and

Small Number is a 5 year-old boy who gets into a lot of mischief. He lives with his Grandma and Grandpa, who patiently put up with his antics, in a small settlement with 7 tipis arranged in a circle. One day Small Number wanders out into the

263 views • 11 slides
Small Number is a five year-old boy who gets into a lot of mischief. He lives with his Grandma and

Small Number is a five year-old boy who gets into a lot of mischief. He lives with his Grandma and

Small Number is a five year-old boy who gets into a lot of mischief. He lives with his Grandma and Grandpa, who patiently put up with his antics most of the time. Today, Grandpa needs to finish carving a feast dish and decides that Small Number

404 views • 7 slides
What, Grandma Made Uncle Rico Trustee? (Advising Non-professional Fiduciaries) Presented By:

What, Grandma Made Uncle Rico Trustee? (Advising Non-professional Fiduciaries) Presented By:

What, Grandma Made Uncle Rico Trustee? (Advising Non-professional Fiduciaries) Presented By: Michael B. Giles Bennett Tueller Johnson & Deere 3165 E. Millrock Drive, Ste. 500 Salt Lake City, Utah 84121 (801) 438-2000 mgiles@btjd.com

478 views • 15 slides
Commonsense resources Grandmas glasses Toms grandma was reading a new book, when she

Commonsense resources Grandmas glasses Toms grandma was reading a new book, when she

Commonsense resources Grandmas glasses Toms grandma was reading a new book, when she dropped her glasses. She couldnt pick them up, so she called Tom for help. Tom rushed to help her look for them, they heard a loud crack. They

879 views • 59 slides
In-Home Daily-Life Captioning Using Radio Signals Lijie Fan* Tianhong Li* Yuan Yuan

In-Home Daily-Life Captioning Using Radio Signals Lijie Fan* Tianhong Li* Yuan Yuan

In-Home Daily-Life Captioning Using Radio Signals Lijie Fan* Tianhong Li* Yuan Yuan Dina Katabi MIT CSAIL * denotes equal contribution How can I make sure grandma is fine? How can I make sure grandma is fine? Daily Life Captioning

496 views • 25 slides
1 Not only does a great mom (or grandma) MODEL, but she also... OBSERVE What do I mean by

1 Not only does a great mom (or grandma) MODEL, but she also... OBSERVE What do I mean by

Influential M.O.M.s - 05.13.10 Intro: Where Is God? joke: http://www.freetimejokes.com/ mothers-day-jokes/where-is-god Were in BIG trouble this time. God is missing and they think WE did it! Moms have so much more influence than

399 views • 3 slides
Problem-Solving with Only 28% of employers classify college graduates Think-Alouds problem

Problem-Solving with Only 28% of employers classify college graduates Think-Alouds problem

12/5/14 Analysis of the situation Problem-solving is viewed as necessary for success in STEM fields, with the American Chemical Society (ACS) going so far as to refer to problem-solving as the ultimate goal. Problem-Solving with

316 views • 4 slides
Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability) OpenBSD Higher Availability IDS M:Tier A.R.S.S (Security) DNS Reshaping DNS Local Resolver NTP DMZ A.R.S.S (Stability) Packet

415 views • 16 slides
THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica

THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica

PHASE 1: SYSTEM CHANGE JOURNEY THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica Dans team working for rare diseases CLARIFYING THE BIG PROBLEM 2. Consequences if problem is not solved (relevance)

179 views • 7 slides
BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem

BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem

BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem Simulation Setup Result Analysis Suggestion Bufferbloat is the existence of excessively large (bloated) buffers in systems, AFFECTED

369 views • 26 slides
Statement Problem A: Bijection In this problem, you have to establish a bijection between

Statement Problem A: Bijection In this problem, you have to establish a bijection between

Problem A: Bijection Statement Statement Problem A: Bijection In this problem, you have to establish a bijection between combinations and pairs of a regular bracket sequence and an integer. Ivan Kazmenko (SPb SU) Problem Analysis 28.01.2020

2.1k views • 181 slides
Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem

Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem

Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem so that the computer can solve it? Even before that, how do you define the problem with enough precision so that you can figure out how to

498 views • 30 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Revised by Hankui Zhuo, March 7, 2018 Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 2 Problem-solving

934 views • 70 slides
Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B can be used to solve the problem A . Computability and Complexity This means that solving A cannot be more difficult than solving B . Lecture 5 In

187 views • 3 slides
Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem

Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem

Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem Definition Techniques 3. 2. Statement Present / Desired Restatement State Duncker Diagram Slides mainly adapted from Dr. Foglers Strategies for

763 views • 33 slides
Last time: Problem-Solving Problem solving: Goal formulation Problem formulation

Last time: Problem-Solving Problem solving: Goal formulation Problem formulation

Last time: Problem-Solving Problem solving: Goal formulation Problem formulation (states, operators) Search for solution Problem formulation: Initial state ? ? ? ? 1 Last time: Problem-Solving Problem

361 views • 18 slides
Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem

Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem

Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem Terminology due to renewed interest in Nagel s concerns from David Chalmers The easy problem ( which isn t so easy ) giving a scienti

411 views • 19 slides
with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem The second problem Given Problems Analysis Simplification Classification Discussion Complex Handling Lagrangian

689 views • 20 slides
Problem Sets E-M Reading: Problem Set 3 Forsyth & Ponce 16.1, 16.2

Problem Sets E-M Reading: Problem Set 3 Forsyth & Ponce 16.1, 16.2

Problem Sets E-M Reading: Problem Set 3 Forsyth & Ponce 16.1, 16.2 Distributed Tuesday, 3/18. Forsyth & Ponce 16.3 for challenge Due Thursday, 4/3 problem. Problem Set 4 Yair Weiss: Motion

197 views • 5 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 2 Problem-solving agents Restricted form of general

1k views • 74 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 3 Problem-solving agents Restricted form of general

973 views • 64 slides

More recommend