semantic based dns forensics
play

Semantic based DNS Forensics Samuel Marchal, J er ome Fran cois, - PowerPoint PPT Presentation

Jan 13, 2023 •310 likes •509 views

samuel.marchal@uni.lu 3/12/12 Semantic based DNS Forensics Samuel Marchal, J er ome Fran cois, Radu State and Thomas Engel Motivations Semantic analysis Experiments and Results Conclusion Outline 1 Motivations 2 Semantic analysis 3

  1. samuel.marchal@uni.lu 3/12/12 Semantic based DNS Forensics Samuel Marchal, J´ erˆ ome Fran¸ cois, Radu State and Thomas Engel

  2. Motivations Semantic analysis Experiments and Results Conclusion Outline 1 Motivations 2 Semantic analysis 3 Experiments and Results 4 Conclusion 2 / 17

  3. Motivations Semantic analysis Experiments and Results Conclusion Outline 1 Motivations 2 Semantic analysis 3 Experiments and Results 4 Conclusion 3 / 17

  4. Motivations Semantic analysis Experiments and Results Conclusion DNS misuse DNS: Domain Name System is the support of many malicious activities · malware updates · botnet C&C · phishing DNS recursive server · backdoor communications · etc. DNS resolution DNS resolution DNS replies: Authoritative DNS server connection to 123.45.67.8 76.54.32.1 for malicious domains phishing website 56.7.89.10 DNS requests: malwareupdate.com commandandcontrol.net request for 123.45.67.8 malware update Requests forwarding phishing compromised web servers request to C&C host C&C server 56.7.89.10 malware update bots 4 / 17

  5. Motivations Semantic analysis Experiments and Results Conclusion DNS misuse DNS: Domain Name System is the support of many malicious activities DNS recursive server DNS resolution DNS resolution DNS replies: 76.54.32.1 Authoritative DNS server 56.7.89.10 76.54.32.1 for malicious domains DNS requests: malwareupdate.com commandandcontrol.net connection to phishing website request for malware update 123.45.67.8 Requests forwarding compromised phishing host request to C&C web server C&C server 56.7.89.10 malware update bots 4 / 17

  6. Motivations Semantic analysis Experiments and Results Conclusion DNS for forensic Why proceed DNS analysis for forensic purposes ? ◮ find proof of infection (malicious domains requests) ◮ reduced amount of data to analyse: DNS is a meager subset of network traffic ◮ DNS analysis keeps users’ anonymity = ⇒ useful as a first step before in-depth analysis 5 / 17

  7. Motivations Semantic analysis Experiments and Results Conclusion DNS for forensic Why proceed DNS analysis for forensic purposes ? ◮ find proof of infection (malicious domains requests) ◮ reduced amount of data to analyse: DNS is a meager subset of network traffic ◮ DNS analysis keeps users’ anonymity = ⇒ useful as a first step before in-depth analysis Issue: How do we know if a domain is malicious ? 5 / 17

  8. Motivations Semantic analysis Experiments and Results Conclusion State of the art Identification of malicious domains: ◮ User reports + manual checking ◮ DNS packet fields analysis + classification via machine learning algorithm: ◮ domain records removed: data is no longer available = ⇒ problematic for forensic analysis ◮ Domain name based analysis: ◮ number of domain levels ◮ relative position of labels ◮ domain length ◮ etc. 6 / 17

  9. Motivations Semantic analysis Experiments and Results Conclusion Outline 1 Motivations 2 Semantic analysis 3 Experiments and Results 4 Conclusion 7 / 17

  10. Motivations Semantic analysis Experiments and Results Conclusion Analyse domain semantic ◮ Domain names are meant to be meaningful ◮ Observations: malicious domains often use words from the same semantic fields: ◮ www.visa-sweden.mastercard.forever4c.com ◮ myvodafone.vodafone-security-update78.systemknight.com ◮ paypal.com-us.webscr.cmd-homeelocale.gumuspena.com ◮ Issue: single domains are not significant enough ◮ = ⇒ Group domains according to common features (IP address, etc.) ◮ Knowing group of malicious and legitimate domains = ⇒ deduce if an unknown group is malicious or not 8 / 17

  11. Motivations Semantic analysis Experiments and Results Conclusion Features extraction Splitting of domain name: myvodafone.vodafone-security-update78.systemknights.com myvodafone.vodafone-security-update78.systemknights.com ‘ . ’ splitting ‘ - ’ splitting vodafone-security-update78 number extraction update78 word myvodafone systemknights segmentation my vodafone vodafone security update 78 system knights ◮ distword = { ( my , 0 . 125) , ( vodafone , 0 . 25) , ( security , 0 . 125) , ... } 9 / 17

  12. Motivations Semantic analysis Experiments and Results Conclusion Semantic relatedness evaluation How to evaluate semantic similarity between two sets of domain names ? = ⇒ between two words: Wordnet, Disco: ◮ calculate a similarity score (semantic relatedness) between 2 words ◮ give the n most related words to w ◮ based on dictionary (Wikipedia, BNC, PubMed, etc.) � ( r , w ) ∈ T ( w 1) ∩ T ( w 2) I ( w 1 , r , w )+ I ( w 2 , r , w ) sim ( w 1 , w 2 ) = � ( r , w ) ∈ T ( w 1) I ( w 1 , r , w )+ � ( r , w ) ∈ T ( w 2) I ( w 2 , r , w ) = ⇒ use this metric in new ones 10 / 17

  13. Motivations Semantic analysis Experiments and Results Conclusion Semantic metrics 3 metrics defined to compare two sets of domains: Assuming two domain sets A and B and the associated extracted word sets W A and W B with the occurrence frequencies distword we have: Sim 1 ( A , B ) = � � w B ∈ W B sim ( w A , w B ) w A ∈ W A Sim 2 ( A , B ) = � � w B ∈ W B sim ( w A , w B ) × distword w A , W A × distword w B , W B w A ∈ W A Sim ′ 3 ( A , B ) = � � w ′ ∈ Disco ( w , n ) sim ( w , w ′ ) × distword w ′ , W B w ∈ W A = ⇒ Sim 3 ( A , B ) = Sim ′ 3 ( A , B ) + Sim ′ 3 ( B , A ) 11 / 17

  14. Motivations Semantic analysis Experiments and Results Conclusion Outline 1 Motivations 2 Semantic analysis 3 Experiments and Results 4 Conclusion 12 / 17

  15. Motivations Semantic analysis Experiments and Results Conclusion Similarity metrics efficiency Comparison pair-wise of domains sets (Sim 3 ( A , B ) ) ◮ 10 sets of around 13,000 domains each ◮ 5 legitimate (Alexa + passive DNS) ◮ 5 malicious (PhishTank, DNS-BH, MDL) leg-5 leg-4 leg-3 leg-2 leg-1 mal-5 mal-4 mal-3 mal-2 mal-1 0.776 0.795 0.793 0.789 0.785 0.955 0.962 0.965 0.975 mal-2 0.782 0.800 0.798 0.797 0.797 0.965 0.968 0.973 mal-3 0.772 0.796 0.793 0.788 0.784 0.951 0.962 mal-4 0.783 0.804 0.804 0.800 0.796 0.953 mal-5 0.769 0.785 0.784 0.782 0.772 leg-1 0.946 0.948 0.952 0.938 leg-2 0.915 0.924 0.922 leg-3 0.936 0.934 leg-4 0.935 0.7 0.76 0.82 0.88 0.94 1.00 13 / 17

  16. Motivations Semantic analysis Experiments and Results Conclusion Size of domains sets Similarity metrics able to distinguish legitimate from malicious sets of domains: ◮ for big set (13,000 domains): ok !! ◮ minimum number of domains in a set to evaluate it ? Value of Sim1 between datasets 0.7 leg 0.6 mal 0.5 0.4 3 0.3 m i S 0.2 0.1 0 0 50 100 150 200 # of domains in the dataset 14 / 17

  17. Motivations Semantic analysis Experiments and Results Conclusion Outline 1 Motivations 2 Semantic analysis 3 Experiments and Results 4 Conclusion 15 / 17

  18. Motivations Semantic analysis Experiments and Results Conclusion Conclusion Technique for domains sets comparison: ◮ semantic similarity scoring ◮ apply to identification of malicious domain set ◮ useful for first step of forensic analysis Results: ◮ able to distinguish malicious from legitimate domains... ◮ ... for sets of at least 10 domains Future works: ◮ improve similarity metrics ◮ correlate with IP Flow records 16 / 17

  19. samuel.marchal@uni.lu 3/12/12 Semantic based DNS Forensics Samuel Marchal, J´ erˆ ome Fran¸ cois, Radu State and Thomas Engel

Recommend

About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http

Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http

Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http logs. >>> Jul 9 23:04:31 131.243.X.Y A.B.C.D 80 GET elided .ru / curl/7.32.0 200 OK (empty) text/plain >> I am looking for the comptuer

700 views • 49 slides
Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http

Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http

Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http logs. >>> Jul 9 23:04:31 131.243.X.Y A.B.C.D 80 GET elided .ru / curl/7.32.0 200 OK (empty) text/plain >> I am looking for the comptuer

921 views • 50 slides
Semantic Parsing via Paraphrasing Mateusz Malinowski Based on: J. Berant and P. Liang

Semantic Parsing via Paraphrasing Mateusz Malinowski Based on: J. Berant and P. Liang

Semantic Parsing via Paraphrasing Mateusz Malinowski Based on: J. Berant and P. Liang Semantic Parsing via Paraphrasing ACL 2014 Outline Abstract view on the semantic parser ! What party did Clay establish? paraphrase model What

200 views • 17 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics & Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Semantic Web 2008 Se a t c eb 008 Semantic Web ca. 2008 S ti W b 2008 Semantic Web

Semantic Web 2008 Se a t c eb 008 Semantic Web ca. 2008 S ti W b 2008 Semantic Web

Semantic Web 2008 Se a t c eb 008 Semantic Web ca. 2008 S ti W b 2008 Semantic Web companies starting & growing Siderean, SandPiper, SiberLogic, Ontology Works, Intellidimension, Intellisophic, TopQuadrant, Data Grid, Mondeca,

481 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
1 Logic-based Markup and Logic-based Markup and Query Language Query Language Eight

1 Logic-based Markup and Logic-based Markup and Query Language Query Language Eight

Overview Semantic Streams: a Framework for Composable Motivation Semantic Interpretation of Sensor What are Semantic Streams? Data Logic-based Markup and Query Language Kamin Whitehouse, Feng Zhao, and Jie Liu Query Processing

444 views • 5 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Wiki meets Semantic Web @WikiSym2006 WibKE: Odense Wiki-based Knowledge Engineering Second I

Wiki meets Semantic Web @WikiSym2006 WibKE: Odense Wiki-based Knowledge Engineering Second I

Max Vlkel, Elena Simperl WibKE 2006 Wiki meets Semantic Web @WikiSym2006 WibKE: Odense Wiki-based Knowledge Engineering Second I nternational Workshop on Semantic Wikis Our Goals: Why are we doing this? What is the semantic web?

608 views • 32 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
DigForASP: A European Cooperation Network for Logic-based AI in Digital Forensics Stefania

DigForASP: A European Cooperation Network for Logic-based AI in Digital Forensics Stefania

DigForASP: A European Cooperation Network for Logic-based AI in Digital Forensics Stefania Costantini (UnivAQ) Francesca Lisi (UniBA) Raffaele Olivieri (RaCIS) The Action Web Site: digforasp.uca.es COST: European Cooperation in Science

613 views • 27 slides
SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving as few evidence as possible Anti-Forensics techniques help to make forensics investigations difficult Anti-Forensics can be a never

657 views • 38 slides
Linked Data Mapper Mapper Linked Data A Browser rowser- -based Semantic Mapping

Linked Data Mapper Mapper Linked Data A Browser rowser- -based Semantic Mapping

DartGrid Linked Data Mapper Mapper Linked Data A Browser rowser- -based Semantic Mapping based Semantic Mapping Tool for Linked Data in Semantic Web Tool for Linked Data in Semantic Web Chunying Zhou Chengli Xu, Huajun Chen,

244 views • 10 slides
What the #%*&! is the Semantic Web? The Semantic Web is a collaborative movement led by

What the #%*&! is the Semantic Web? The Semantic Web is a collaborative movement led by

What the #%*&! is the Semantic Web? The Semantic Web is a collaborative movement led by international standards body the World Wide Web Consortium (W3C).[1] ... By encouraging the inclusion of semantic content in web pages, the

578 views • 44 slides
Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures.

Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures.

Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures. Discriminators. Contraband Identification. Sector-based Hashing. Conclusions. Author: Prof Bill Buchanan Small Block Disk Forensics and

768 views • 45 slides

More recommend