host profiling based on remote measurements
play

Host profiling based on remote measurements Robert Kulzer Advisor: - PowerPoint PPT Presentation

Dec 10, 2023 •1.29k likes •1.55k views

Host profiling based on remote measurements Robert Kulzer Advisor: Ralph Holz Master Thesis Chair for Network Architectures and Services Technische Universit at M unchen January 9, 2013 Robert Kulzer (TU M unchen) Host profiling

  1. Host profiling based on remote measurements Robert Kulzer Advisor: Ralph Holz Master Thesis Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen January 9, 2013 Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 1

  2. Motivation Flaws in modern day Web security environment Gutmann example: Browser PKI Dubious domain having a valid SSL certificate Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 2

  3. Motivation Diversification of defense mechanisms Use a set of characteristics to classify a host Can a “Risk-Assessment” based approach help → to deduce a domain’s trustworthiness? Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 3

  4. Motivation Safe Domain name system Network configuration Domain registration information Geographic location AS information Unsafe e t n t - a k e c s m i i d R f s i i t l r a s e e v C s s s i A Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 4

  5. Goals Goals Scanner framework Data collection Unveil distinctive characteristics for known sets of domains � Temporal � Current snapshot Scanners Autonomous Systems Geographic location Whois registration information Network configuration Domain name system Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 5

  6. Approach Use distinctive sets of domains idealo.de crape.fi utp7.com urinoor.com tumblr.com dhl.de scentsy.com 96897.com wenmo.in mail.ru zeit.de critictoo.com finitysoft.com allspade.ru apple.com kicker.de firepits.com isellcc.net asfirey.net pinterest.com wetteronline.de vbulletin-tr.com m77s.cn directsupershop.com craigslist.org transfermarkt.de pigeon.cn bjahqeb.info drugfreecard.info bbc.co.uk n-tv.de detikmaya.com t5track.com esntionlatino.com ask.com ... ... ... ... ... AlDL DeAlDL RandAlDL RandMDL RecMDL Name Origin Description Amount of domains AlDL Worldwide 1,000 DeAlDL Alexa Top sites German 1,000 RandAlDL Random pick 1,000 RandMDL Random pick 1,000 DNS blackhole project RecMDL Current month 9,000 Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 6

  7. Approach Define time intervals for scan runs � Time between scans does not exceed 10 days � Use all scanners in each scan run � Two scan series Scan 1 Scan 2 Scan 3 Scan 4 Scan 5 Evaluation series Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 7

  8. Approach ASN id host_id nserver X n scanner Create tables a c S ASN log and functions id host_id ttl addr INFO: baz.org INFO: 117.es INFO: sdf9.com INFO: fsdfg.mx GeoIP 2 scanner Creating GeoIP log database schema INFO: foobar.ru INFO: 0317.dk INFO: 0s9.co.kr INFO: se57.pt S t Read a 4 Global r t configuration NMAP Domain s configuration Scanner c a scanner handler Individual domain parameters n n 1 e NMAP log and ip address feed r s INFO: 0007.ru INFO: 0317.com INFO: 0439.com INFO: 0457.com 3 Whois scanner WHOIS log INFO: bgsa.de INFO: 0651.net INFO: 0129.sk INFO: 0413.hk DNS scanner DNS log INFO: fttw4.to INFO: 7621.hu INFO: df439.ch INFO: esd3.nl Launch process Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 8

  9. Evaluation - Autonomous Systems Which set of domains shows frequent alterations in the ASN configuration? Percentage of domains where an ASN change occured 12 10 8 6 4 2 0 A D R R R l D e a a e A n n c L l d d M D A M D L l D D L L L Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 9

  10. Evaluation - Geographic location Which domain lists can be affiliated with a set of countries? Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 10

  11. Evaluation - Geographic location In which domain lists do relocations occur more often? 9 8 Percentage of hosts where country changes occured 7 6 5 4 3 2 1 0 A D R R R l D e a a e A n n c L d d M D l A M D L l D D L L L Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 11

  12. Evaluation - Whois registration information Which set of domains is registered for a shorter time? Domain list Average Q 0 . 5 AlDL 181.75 182.63 RandAlDL 84.50 73.03 RandMDL 41.25 24.37 RecMDL 44.00 24.37 (in months) Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 12

  13. Evaluation - Network configuration Which set of domains has on average more open ports? 3 2.5 2 Open ports on a domain 1.5 1 0.5 0 A D R R R l e a a e D A n n c L l d d M D A M D L l D D L L L Quantiles Q-0.3 Q-0.5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 13

  14. Evaluation - Domain name system Which group of domains changes their TTL configuration frequently? 2 1.9 1.8 Ratio (TTL changes / domain) 1.7 1.6 1.5 1.4 1.3 1.2 1.1 1 A CNAME MX NS SOA TXT Resource records AlDL DeAlDL RandAlDL RandMDL RecMDL Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 14

  15. Evaluation - Domain name system Is the use of Google’s SPF an indication for a group of domains? Append anti-spoofing entry to TXT resource records Spam prevention with SPF (Sender Policy Framework) v=spf1 +all v=spf1 mx ip4:77.232.64.0/19 +all Google Apps to create SPF entries google-site-verification=mWlqvcJ4Jx0oKel6... Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 15

  16. Evaluation - Domain name system Is the use of Google’s SPF an indication for a group of domains? 18 16 Percentage of domains using Google for SPF 14 12 10 8 6 4 scan1 scan2 scan3 scan4 scan5 AlDL DeAlDL RandAlDL RandMDL RecMDL Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 16

  17. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 17

  18. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 18

  19. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 19

  20. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 20

  21. Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 21

  22. Results from related work ASN Very little clusters of AS for malicious domains exist (Kalafut et al.) Majority of AS are each linked to less than one percent of the domains DNS Passive DNS analysis reveals low TTL values for malicious domains (Bilge et al.) Other characteristics are consistent with this work Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 22

  23. Conclusion Results ASN alterations Domain registration time DNS record configuration Summary Good indicators are few No single characteristic is sufficient Future work Evaluation over a longer period of time Correlate the characteristics Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 23

  24. Thank you for your attention. Are there any questions? Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 24

Recommend

Hybrid Polynomial Prediction Hybrid Polynomial Prediction The remote host can dynamically

Hybrid Polynomial Prediction Hybrid Polynomial Prediction The remote host can dynamically

Special Course on Networked Virtual February 12, 2004 Environments Hybrid Polynomial Prediction Hybrid Polynomial Prediction The remote host can dynamically choose the order of The remote host can dynamically choose the order of

111 views • 9 slides
Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory Overview and Objectives Host/IP address profiling based on flow data over some time interval 10

460 views • 18 slides
Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of

Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of

XIV International Conference on Hadron Spectroscopy Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of BB Angular Correlations based on based on based on Secondary Vertex Reconstruction Secondary

521 views • 23 slides
Expectations on Remote Data Supporting the Prometheus Remote Storage API Alfred Landrum Engineer

Expectations on Remote Data Supporting the Prometheus Remote Storage API Alfred Landrum Engineer

Expectations on Remote Data Supporting the Prometheus Remote Storage API Alfred Landrum Engineer @ Sysdig Twitter: @alfred-landrum Github: alfred-landrum Sysdig Backend Sysdig Dashboards/Alerts/Topology Host/Node based Agents Sysdig Data

544 views • 51 slides
SATELLITE REMOTE SENSING APPROACHES AND FIELD MEASUREMENTS TO TRACKING COASTLINE CHANGES OF THE

SATELLITE REMOTE SENSING APPROACHES AND FIELD MEASUREMENTS TO TRACKING COASTLINE CHANGES OF THE

RESEARCH INSTITUTE OF APPLIED INFORMATICS AND MATHEMATICAL GEOPHYSICS OF IMMANUEL KANT BALTIC FEDERAL UNIVERSITY SATELLITE REMOTE SENSING APPROACHES AND FIELD MEASUREMENTS TO TRACKING COASTLINE CHANGES OF THE SAMBIAN PENINSULA AT THE BALTIC SEA

213 views • 9 slides
Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex

Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex

' $ AIS 1 Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex February 3, 1998 ' $ AIS 2 Remote login remote login to host from host to host telnet, rlogin rlogin: mostly Unix systems

769 views • 30 slides
HostView: Annotating end-host performance measurements with user feedback Diana Joumblatt, Oana

HostView: Annotating end-host performance measurements with user feedback Diana Joumblatt, Oana

HostView: Annotating end-host performance measurements with user feedback Diana Joumblatt, Oana Goga, Renata Teixeira Laboratoire LIP6 -- CNRS and UPMC Sorbonne Universits Jaideep Chandrashekar, Nina Taft Intel Labs, Berkeley Why did we

343 views • 12 slides
Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans ,

Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans ,

Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans , NorthWest Research Associates, Redmond, Henry L. Buijs and Claude B. Roy ABB Bomem, Quebec City The Measurement Concept . gases The new AERI

329 views • 20 slides
The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling

The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling

The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling and Interpretation B. Baring Head surface CO 2 data C. Lauder ground based remote sensing CO 2 measurements D. Lauder surface CO 2 data E. Rainbow

334 views • 30 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier

Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier

Remote Attestation of IoT Devices via SMARM: Shuffled Measurements Against Roving Malware Xavier Carpent, Norrathep (Oak) Rattanavipanon , Gene Tsudik nrattana@uci.edu SPROUT Lab: sprout.ics.uci.edu University of California, Irvine 1

644 views • 42 slides
Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in recovering and development processes Natalia Krynsky Baal , Coordinator, Joint IDP Profiling Service WHAT IS PROFILING? Defining profiling A

439 views • 12 slides
user profiling in text-based recommender systems based on distributed word representations .

user profiling in text-based recommender systems based on distributed word representations .

user profiling in text-based recommender systems based on distributed word representations . Steklov Institute of Mathematics at St. Petersburg National Research University Higher School of Economics, St. Petersburg Kazan (Volga

429 views • 17 slides
Remote Citrus QC Measurements. Tools for Teaching and Training Jos I. Reyes De Corcuera Tracy

Remote Citrus QC Measurements. Tools for Teaching and Training Jos I. Reyes De Corcuera Tracy

Remote Citrus QC Measurements. Tools for Teaching and Training Jos I. Reyes De Corcuera Tracy Irani Art Teixeira September 16, 2010 Background 30% Teaching UF Gainesville UF Gainesville FOS 5561 CREC Lake Alfred Citrus

514 views • 32 slides
A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and Edge Profiling Bug Isolation via Remote Program Sampling Low-overhead Memory Leak Detection using Adaptive Statistical Profiling (SWAT)

178 views • 16 slides
Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of algorithms. Profiling techniques fall into two main categories: Instruction counting the number of times which particular instruction(s)

672 views • 19 slides
COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling Issues with current profilers Causal profiling COZ Overview and Implementation COZ Evaluation Comparison with Pivot Tracing

660 views • 23 slides
Implementation of Host-based Overlay Multicast in Support of Web Based Services for RT-DVS

Implementation of Host-based Overlay Multicast in Support of Web Based Services for RT-DVS

Implementation of Host-based Overlay Multicast in Support of Web Based Services for RT-DVS Dennis Moen, Mark Pullen & Fei Zhao George Mason University {dmoen,mpullen,fzhao}@gmu.edu Network Service Requirements for Real Time Distributed

473 views • 15 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson

An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson

An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson (d.dickinson@york.ac.uk) Overview What is meant by profiling? Why do we care about profiling? How do we do profiling? Specific example using Scalasca

912 views • 22 slides
Simulation-Based Tracing and Profiling for System Software Development Anselm Busse , Reinhardt

Simulation-Based Tracing and Profiling for System Software Development Anselm Busse , Reinhardt

Simulation-Based Tracing and Profiling for System Software Development Anselm Busse , Reinhardt Karnapke, and Helge Parzyjegla | SYSTOR 2017 | Haifa 2017-05-22 Motivation Tracing and profiling is crucial to system software development State

683 views • 8 slides
Discussion on Host-based IPv6 Translation denghui@chinamobile.com Outline Conventional IPv4

Discussion on Host-based IPv6 Translation denghui@chinamobile.com Outline Conventional IPv4

Discussion on Host-based IPv6 Translation denghui@chinamobile.com Outline Conventional IPv4 application support Network scenarios Why we need host based translation Vs DS Lite, NAT64, Double NAT Signaling procedure of

310 views • 20 slides
Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley Preview The topic of this talk: How do we evaluate the security of a host-based IDS against sophisticated attempts to

308 views • 14 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides

More recommend