name detection system
play

Name Detection System By Auke Zwaan DNS DNS DNS Give me google. - PowerPoint PPT Presentation

Oct 10, 2023 •5 likes •455 views

Malicious Domain Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94 Research Question Is it possible to detect ma malic iciou ious do domain

  1. Malicious Domain Name Detection System By Auke Zwaan

  2. DNS

  3. DNS

  4. DNS Give me google. gle.nl nl

  5. DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94

  7. Research Question Is it possible to detect ma malic iciou ious do domain ins by analyzing interrelations between DN DNS reso esolver ers and blackli acklist sted ed do doma main ins?

  8. One giant DNS dataset  All DNS requests done to ns1.dns.nl on January 6, 2016  170M+ DNS Queries (+-7GB)

  9. DNS Data

  10. DNS Data

  11. DNS Data

  12. DNS Data

  13. DNS Data

  14. DNS Data

  15. DNS Data

  16. DNS Data

  17. DNS Data

  18. Nice, but what is a ‘ ma malicious icious domain main name me ’?

  19. Initial blacklist  joewein.de LLC: 424 domains  SIDN Labs Sinkhole: 15 domains  Internet Storm Center (SANS): 14 domains  MalwareDomainList.com: 6 domains Total 459 domains

  20. Poten enti tial ally DNS da DN data ta Mal alici icious ous X Blac Bl ackli klist st = Do Domain ins

  21. Processing the data Sour urce ce Target rget Time mestam stamp 192.168.0.105 google.nl 1452091187 192.168.0.106 uva.nl 1452091187 192.168.0.232 nu.nl 1452091187 145.100.104.208 os3.nl 1452091187 192.168.0.108 bdcrqgonzmwuehky.nl 1452091187 145.100.104.208 hzmksreiuojy.nl 1452091187 145.100.104.208 xjpakmdcfuqe.nl 1452091187

  22. Processing the data Sou ource ce Target rget 192.168.0.105 google.nl 192.168.0.106 uva.nl 192.168.0.232 nu.nl 145.100.104.208 os3.nl 192.168.0.108 bdcrqgonzmwuehky.nl 145.100.104.208 hzmksreiuojy.nl 145.100.104.208 xjpakmdcfuqe.nl

  23. Processing the data Sou ource ce Target rget 192.168.0.105 google.nl 192.168.0.106 uva.nl 192.168.0.232 nu.nl 145.100.104.208 os3.nl 192.168.0.108 bdcrqgonzmwuehky.nl 145.100.104.208 hzmksreiuojy.nl 145.100.104.208 xjpakmdcfuqe.nl

  24. Grouping queries, suspicious resolvers only Sou ource ce Target rget 145.100.104.208 os3.nl hzmksreiuojy.nl xjpakmdcfuqe.nl aanrechtblad-kopen.nl 192.168.0.108 bdcrqgonzmwuehky.nl replicarolex.nl google.nl

  25. Flagging malicious domains Sou ource ce Target rget Ma Malicious licious 145.100.104.208 os3.nl Unknown hzmksreiuojy.nl Yes xjpakmdcfuqe.nl Yes aanrechtblad-kopen.nl Unknown 192.168.0.108 bdcrqgonzmwuehky.nl Yes replicarolex.nl Unknown google.nl Unknown

  26. Processing the data Sou ource ce Ma Malicious licious Un Unkno known wn 145.100.104.208 2 2 192.168.0.108 1 2 192.168.0.106 1 6 192.168.0.105 1 5

  27. Defining the mal alic iciousness iousness ra ratio io 𝑁𝑏𝑚𝑗𝑑𝑗𝑝𝑣𝑡𝑜𝑓𝑡𝑡 𝑆𝑏𝑢𝑗𝑝 = 𝑂𝑣𝑛𝑐𝑓𝑠 𝑝𝑔 𝑟𝑣𝑓𝑠𝑗𝑓𝑡 𝑢𝑝 𝒏𝒃𝒎𝒋𝒅𝒋𝒑𝒗𝒕 𝒆𝒑𝒏𝒃𝒋𝒐𝒕 𝑂𝑣𝑛𝑐𝑓𝑠 𝑝𝑔 𝑟𝑣𝑓𝑠𝑗𝑓𝑡 𝑢𝑝 𝒗𝒐𝒍𝒐𝒑𝒙𝒐 𝒆𝒑𝒏𝒃𝒋𝒐𝒕

  28. Processing the data Sou ource ce Ma Malicious licious Un Unkno known wn Ratio tio 145.100.104.208 2 2 1.0 1.0 192.168.0.108 1 2 0.5 192.168.0.106 1 6 0.167 67 192.168.0.105 1 4 0.25 25 192.168.0.232 4 300 0.013

  29. Assumption 1 A ma malicious icious res esolv lver er is a resolver for which the maliciousness ratio ≥ 0.25

  30. Processing the data Sou ource ce Ma Malicious licious Un Unkno known wn Ratio tio 145.100.104.208 2 2 1.0 1.0 192.168.0.108 1 2 0.5 192.168.0.106 1 6 0.167 67 192.168.0.105 1 4 0.25 25 192.168.0.232 4 300 0.013

  31. Finding malicious domains  Get all the domains requested by malic icious ious res esolv lver ers  Filter out the domains from the initial blacklist

  32. Assumption 2 The 100 most popular .nl domain names are not ma malicious icious

  33. Results  40,469 469 queries to malicious domains  8,132 suspicious resolvers, doing 85M+ M+ queries  673 673 malicious resolvers (maliciousness ratio ≥ 0.25)  413 potentially malicious domains  392 392 potentially malicious domains (minus top 100)

  34. Assumption 3 If a website has at t lea east st one hit in VirusTotal in the past, it is considered malicious

  35. Example www.ikhouvanirakezen.nl Detected by VirusTotal thus tr true positiv itive

  36. Example 2 No hits on VirusTotal  Manual Google Search:  Hits: Classification “Yes”  No hits: Classification “No”  Hosting provider: Classification “ Possibly ”  Search not feasible: Classifcation “ Unknown ”

  37. Ma Mali liciou cious Numb mber er of doma mains ins Yes 125 No 153 Possibly 111 Unknown 3 Total tal 392 92

  38. Evaluation: 32 test rounds Poten enti tial ally DN DNS da data ta Mal alici icious ous X Blac Bl ackli klist st = Do Domain ins

  39. Trying to find domains from a test set Training ining DN DNS da data ta X set t (9 (90% 0%) Blacklist acklist Poten enti tial ally Tes est t set t Mal alici icious ous (1 (10% 0%) Do Doma main ins

  40. Trying to find domains from a test set Training ining DN DNS da data ta X set t (9 (90% 0%) Blacklist acklist Poten enti tial ally Tes est t set t Mal alici icious ous (1 (10% 0%) Do Doma main ins

  41. Evaluation: 32 test rounds Min Max Mean Std # # Pot otent ntia ially maliciou cious domai ains ns 114 400 400 349.875 75 68.295 # # From test t set et found und 0 5 2.594 94 1. 1.316

  42. Conclusion  It is possible to find malicious domains by looking at spatial co-occurrence of DNS queries  31.8% true positives, so not suitable for blacklisting  Instead, use as factor for further analysis

  43. Future work  Add a content analysis for each potentially malicious domain (i.e. crawling), and apply NLP  Compare lists between different dates (datasets) and analyze commonly found domains  Look at whois info for potentially malicious domains and use it for finding malicious registrars

  44. Future work  Extend blacklists (or run the algorithm recursively)  Use the maliciousness ratio to identify most ‘ dangerous ’ resolvers  111x ‘ Possibly ’: strip out hosting providers?

  45. Thanks for your attention! Qu Questions estions?

Recommend

Fever Detection System Ver 1.3 1. Necessities of Fever detection system for COVID-19 Reduce

Fever Detection System Ver 1.3 1. Necessities of Fever detection system for COVID-19 Reduce

Optimal fever detection system to to prevent the spread of of viruses(COVID-19, MERS, SARS etc.) FDS-100 Fever Detection System Ver 1.3 1. Necessities of Fever detection system for COVID-19 Reduce measurement time Efficiency Reduce

464 views • 11 slides
plagiarism detection system Andrzej Sobecki, Marcin Kpa IKC 2017 Plagiarism detection problem

plagiarism detection system Andrzej Sobecki, Marcin Kpa IKC 2017 Plagiarism detection problem

Improving performance of a plagiarism detection system Andrzej Sobecki, Marcin Kpa IKC 2017 Plagiarism detection problem Text documents unstructured form Finding a potential source documents based on the suspected document

531 views • 13 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
MODES_SNM Modular Detection System for Special Nuclear Material 284842 FP7-SEC-2011-1 G.

MODES_SNM Modular Detection System for Special Nuclear Material 284842 FP7-SEC-2011-1 G.

MODES_SNM Modular Detection System for Special Nuclear Material 284842 FP7-SEC-2011-1 G. Viesti Dipartimento di Fisica ed Astronomia Universit di Padova 5th meeting of the C2013 Customs Detection Technology expert group Mestre/Venice

173 views • 16 slides
Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers

Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers

Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers Andrew H. Leavitt Conco Systems, Inc. Tracer Gas Leak Detection Focusing On: Air inleakage Impact on system Limitations of air removal

691 views • 31 slides
Fraud Detection & Prevention System For Participant Integrity (FDPS) FY2016 WIC Special

Fraud Detection & Prevention System For Participant Integrity (FDPS) FY2016 WIC Special

Fraud Detection & Prevention System For Participant Integrity (FDPS) FY2016 WIC Special Project Grant Presentation to: Nutrition Services Directors Meeting Presented by: Chavis Paulk, MPA Date: December 13, 2016 Fraud Detection and

1.27k views • 23 slides
Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego Perez-Palacin, Youssef Ridene, Jos Merseguer University of Zaragoza, Netfective Technology Diego Perez-Palacin Big Blu eGov Tax Fraud Detection System

907 views • 41 slides
Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
SAQL : A Stream-based Query System for Real-Time SA Abnormal System Behavior Detection Peng Gao 1

SAQL : A Stream-based Query System for Real-Time SA Abnormal System Behavior Detection Peng Gao 1

SAQL : A Stream-based Query System for Real-Time SA Abnormal System Behavior Detection Peng Gao 1 , Xusheng Xiao 2 , Ding Li 3 , Zhichun Li 3 , Kangkook Jee 3 , Zhenyu Wu 3 , Chung Hwan Kim 3 , Sanjeev R. Kulkarni 1 , Prateek Mittal 1 1 Princeton

453 views • 24 slides
Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical development Leak detection system requirements Causes of leaks Leak detection options Non-continuous leak detection Continuous external leak detection

806 views • 49 slides
FIBER-OPTIC SYSTEM FOR M ONITORING EXTENDED OBJ ECTS FOSM Applications: - Detection of

FIBER-OPTIC SYSTEM FOR M ONITORING EXTENDED OBJ ECTS FOSM Applications: - Detection of

FIBER-OPTIC SYSTEM FOR M ONITORING EXTENDED OBJ ECTS FOSM Applications: - Detection of vibrations caused by object condition and/or third party interference; - Detection of temperature anomaly and/or measurement of extended object

305 views • 26 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
The Light Detection System of protoDune DP Thorsten Lux On behalf of CIEMAT and IFAE Outline

The Light Detection System of protoDune DP Thorsten Lux On behalf of CIEMAT and IFAE Outline

The Light Detection System of protoDune DP Thorsten Lux On behalf of CIEMAT and IFAE Outline Motivation Baseline design Components of the light readout system: PMTs Bases Support structure Wavelength shifter High

765 views • 37 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

203 views • 18 slides
PBE PAS Collision Avoidance/Proximity Detection System Adrian Barratt PBE European Headquarters

PBE PAS Collision Avoidance/Proximity Detection System Adrian Barratt PBE European Headquarters

PBE is the leading single source provider of safety and productivity solutions, technology and engineering expertise that gives your company the competitive edge. PBE PAS Collision Avoidance/Proximity Detection System Adrian Barratt PBE

415 views • 29 slides
application of f L8 and L9 Schauenburg Systems Proximity Detection System Mis ission & Vis

application of f L8 and L9 Schauenburg Systems Proximity Detection System Mis ission & Vis

In Introduction & Description fo for application of f L8 and L9 Schauenburg Systems Proximity Detection System Mis ission & Vis isio ion Mission Vision We are dedicated to profitable We enhance safety and productivity in mining

166 views • 13 slides
Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection

Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection

Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection Presented By: Akash Kulkarni System Log Analysis is complicated 1. Log sources generate TBs of data per day 2. Lack of labelled data (scarce or

719 views • 15 slides
Mining Invariants from Logs for System Problem Detection Jian-Guang LOU, Qiang FU Software

Mining Invariants from Logs for System Problem Detection Jian-Guang LOU, Qiang FU Software

Mining Invariants from Logs for System Problem Detection Jian-Guang LOU, Qiang FU Software Analytics Microsoft Research Asia Background Many systems produce log messages for trouble-shooting. Logs usually record important system actions

706 views • 31 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Image Edge Detection Algorithm with a Single Grid System of Coupled FitzHugh-Nagumo Elements A.

Image Edge Detection Algorithm with a Single Grid System of Coupled FitzHugh-Nagumo Elements A.

Image Edge Detection Algorithm with a Single Grid System of Coupled FitzHugh-Nagumo Elements A. Nomura, M. Ichikawa, K. Okada, T. Sakurai & Y. Mizukami Yamaguchi Univ. & Chiba Univ. Japan Key words: image processing, edge detection

307 views • 16 slides
Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr.

Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr.

Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr. Nen-Fu (Fred) Huang Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail:

846 views • 41 slides

More recommend