tide proactive threat detection introduction
play

TIDE: Proactive threat detection Introduction Ph.D. student from - PowerPoint PPT Presentation

2019-06-20 Olivier van der Toorn <o.i.vandertoorn@utwente.nl> University of Twente, Design and Analysis of Communication Systems TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente System


  1. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days)

  2. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 30705 Δ t < 2 days

  3. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 30705 1972 Δ t < 2 days Δ t ≥ 2 days

  4. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days

  5. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 1105 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days

  6. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 971 1105 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days

  7. 17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 949 971 1105 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days

  8. 18 RBL comparison (9 month period) Number of detected domains 10000 1000 100 10 1 0 20 40 60 80 100 120 140 160 180 Detection in advance (days) 205 1305 57724 6710 Δ t < 2 days Δ t ≥ 2 days

  9. 19 SURFnet evaluation daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates

  10. 20 SURFnet evaluation daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates

  11. 20 SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates

  12. • 45% of received emails fall in this category 20 • 18% of observed domains fall in this category SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates Δ t < 2 days

  13. • 17% of received emails fall in this category 20 • 26% of observed domains fall in this category SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates Δ t ≥ 2 days

  14. • 38% of received emails fall in this category • 57% of observed domains fall in this category 20 SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates ? domain not on existing blacklist yet

  15. • 59% of these emails have not been marked as spam • 41% of emails were received in the purple areas 20 SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates

  16. Use case: DDoS domains

  17. In DDoS attacks the amplification factor is important. Domains crafted for DDoS attacks typically have: • Many records • Long (TXT) records 21 DDoS domains

  18. In DDoS attacks the amplification factor is important. Domains crafted for DDoS attacks typically have: • Many records • Long (TXT) records 21 DDoS domains

  19. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  20. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  21. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  22. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  23. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  24. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  25. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  26. Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2

  27. Use case: DNS TXT records

  28. • 1.2% falls in the ‘other’ category 23 • Majority of TXT records are related to email (~70%) DNS TXT records 80 M Crypto Coins 70 M Email TXT records Number of Encoded 60 M Miscellaneous 50 M Other 40 M Patterns Verification 30 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date

  29. • 1.2% falls in the ‘other’ category 23 • Majority of TXT records are related to email (~70%) DNS TXT records 80 M Crypto Coins 70 M Email TXT records Number of Encoded 60 M Miscellaneous 50 M Other 40 M Patterns Verification 30 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date

  30. • 1.2% falls in the ‘other’ category 23 • Majority of TXT records are related to email (~70%) DNS TXT records 80 M Crypto Coins 70 M Email TXT records Number of Encoded 60 M Miscellaneous 50 M Other 40 M Patterns Verification 30 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date

  31. One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records

  32. One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records

  33. One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records

  34. One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records

  35. 25 DNS TXT records

  36. • Generally, no Are these records useful for threat detection? • The ‘~’; case could be an identifier for domains from a specific AS 26 DNS TXT records

  37. Use case: Combo-squat domains

  38. Many types of squatting domains: Type Example (target: utwente.nl) Typosquatting utwent.nl Combosquatting utwente-login.nl Bitsquatting utwenpe.nl Homograph-Based squatting utvvente.nl 27 Combo-squat: What is a combo-squat domain?

  39. We started out by developing a general machine-learning based detection model. Feeding the detection model a list of trademarks worked a lot better! Trademark Number of domains Apple 8751 Paypal 1241 Microsoft 711 28 Combo-squat: A general approach?

  40. We started out by developing a general machine-learning based detection model. Feeding the detection model a list of trademarks worked a lot better! Trademark Number of domains Apple 8751 Paypal 1241 Microsoft 711 28 Combo-squat: A general approach?

  41. We started out by developing a general machine-learning based detection model. Feeding the detection model a list of trademarks worked a lot better! Trademark Number of domains Apple 8751 Paypal 1241 Microsoft 711 28 Combo-squat: A general approach?

  42. 29 However, a larger problem is the life time of a combosquat domain. Combo-squat: The problems with a generic approach

  43. 29 However, a larger problem is the life time of a combosquat domain. Combo-squat: The problems with a generic approach

  44. Where it works: • Snowshoe spam domains Where it might work: • DDoS Domains • Malicious TXT records Where it doesn’t work: • Combo-squat domains 30 Use cases

  45. Where it works: • Snowshoe spam domains Where it might work: • DDoS Domains • Malicious TXT records Where it doesn’t work: • Combo-squat domains 30 Use cases

  46. Where it works: • Snowshoe spam domains Where it might work: • DDoS Domains • Malicious TXT records Where it doesn’t work: • Combo-squat domains 30 Use cases

  47. Reflection

  48. What have we learned from these use cases? • The data needs to contain hints • This approach works for relatively long setup times (in our case >1d) 31 Reflection

  49. What have we learned from these use cases? • The data needs to contain hints • This approach works for relatively long setup times (in our case >1d) 31 Reflection

  50. What have we learned from these use cases? • The data needs to contain hints • This approach works for relatively long setup times (in our case >1d) 31 Reflection

  51. 32 We realize that our solution is not perfect. Improvement?

  52. We think the “ultimate” solution is to combine passive and active measurements. We realize that our solution is not perfect. 32 Improvement?

Recommend


More recommend