Detecting Algorithmically Generated Malicious Domain Names

Similar documents
RECENT botnets such as Conficker, Kraken and Torpig have

Detecting Algorithimically Generated Malicious Domain Names

Winning with DNS Failures: Strategies for Faster Botnet Detection

SCALABLE TECHNIQUES FOR ANOMALY DETECTION. A Dissertation SANDEEP YADAV

Security Incidents And Trends In Croatia. Domagoj Klasić

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Detection of Fast-Flux Networks Using Various DNS Feature Sets

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

EVILSEED: A Guided Approach to Finding Malicious Web Pages

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Security Solutions for the New Threads

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

Security Intelligence Blacklisting

Cyber Security and Critical Information Infrastructure

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Adventures in Cybercrime. Piotr Kijewski CERT Polska/NASK

SPAMMING BOTNETS: SIGNATURES AND CHARACTERISTICS

AT&T Real-Time Network Security Overview

Shellshock. Oz Elisyan & Maxim Zavodchik

C&C Botnet Detection over SSL

Korea s experience of massive DDoS attacks from Botnet

Tracking and Characterizing Botnets Using Automatically Generated Domains

Security A to Z the most important terms

The Growing Problem of Outbound Spam

A TASTE OF HTTP BOTNETS

Security Business Review

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Detection and Controlling of DDoS Attacks by a Collaborative Protection Network

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

BOTNET Detection Approach by DNS Behavior and Clustering Analysis

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Zero-Day Attack Finding Advanced Threats in ALL of Your Data. C F Chui, Arbor Networks

How to Use the Greymail Spam Filter

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic "" " Matt Thomas" Data Architect, Verisign Labs"

Report. Takeover of Virut domains

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

A Critical Investigation of Botnet

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

SoSe 2014: M-TANI: Big Data Analytics

An Efficient Methodology for Detecting Spam Using Spot System

Finding Domain-Generation Algorithms by Looking at Length Distributions

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Removing Web Spam Links from Search Engine Results

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

Big Data for Security: Challenges, Opportunities, and Experiments

Phone Fax

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

We Know It Before You Do: Predicting Malicious Domains

Next-Generation DNS Monitoring Tools

Protecting DNS Query Communication against DDoS Attacks

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Detecting P2P-Controlled Bots on the Host

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Next Generation IPS and Reputation Services

Anti-Malware Technologies

Modular Network Security. Tyler Carter, McAfee Network Security

Networks and Security Lab. Network Forensics

Implementation of Botcatch for Identifying Bot Infected Hosts

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Zscaler Internet Security Frequently Asked Questions

Information Security and Risk Management

Cyber Attack Trend and Botnet

DDoS Attacks Can Take Down Your Online Services

About Botnet, and the influence that Botnet gives to broadband ISP

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection

7.7 DDoS : Unknown Secrets and Botnet Counter-Attack. sionics & kaientt

Using big data analytics to identify malicious content: a case study on spam s

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Preetham Mohan Pawar ( )

Towards Proactive SPAM Filtering

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

.tirol Anti-Abuse Policy

How To Filter From A Spam Filter

Detecting Botnets with NetFlow

Access Control Rules: URL Filtering

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

BotNets- Cyber Torrirism

Detecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Transcription:

Detecting Algorithmically Generated Malicious Domain Names Sandeep Yadav, Texas A&M University IT Security for the Next Generation American Cup, New York 9-11 November, 2011

Introduction Botnets, a network of bots (compromised hosts) under a Command & Control server, responsible for: Spamming Phishing DDoS Recent (in-)famous botnets: PAGE 2

Modus Operandi bota C&C Location #1 botb C&C Location #2 botc C&C Location #3 Location #1 Location #2 Location #3 Domain fakjdfhak.botnet.com xxcvsdf.botnet.com lkdsjlllh.botnet.com IP A1.B1.C1.D1 A2.B2.C2.D2 A3.B3.C3.D3 PAGE 3

Objective fakjdfhak.botnet.com lkdsjlllh.botnet.com xxcvsdf.botnet.com Goal Detect domain-fluxing botnets by exploiting the randomness in domain names. PAGE 4

Groups for Analysis Per-domain fakjdfhak.botnet.com lkdsjlllh.botnet.com xxcvsdf.botnet.com Botnet.com Per-IP kdjfhk.org weiyrilskjd.com hlkhdfds.info IP: 1.1.1.1 1.1.1.1 Per-component Domain1 Domain2 IP1 IP2 The whole component PAGE 5

Metrics for analysis Kullback- Leibler divergence Jaccard Index Edit Distance PAGE 6

Metrics for analysis (Kullback-Leibler Divergence) A measure of similarity between two probability distributions. PAGE 7

Metrics for analysis (Jaccard Index) Evaluates similarity with a benign database of bigrams E.g. xjisov.botnet.com Break into bigrams xj ji is so ov Compute the fraction of bigrams present in the benign database Benign groups will have a higher value of this metric. PAGE 8

Metrics for analysis (Edit Distance) The number of character modifications (addition, deletion, or substitution) required to convert one string to other. E.g. When converting dog to cat, the edit distance is three. Intuitively, the edit distance for two randomized (possibly malicious) domains is higher. For instance: ns1.google.com -> ns2.google.com (Benign) sljslasdkja.com -> rjhbgjhr.org (Malicious) [low ED] [high ED] No reference database or distribution required. PAGE 9

Results Evaluation data set Tier-1 ISP dataset containing host of malicious domains (including Conficker). Benign data set DNS-PTR dataset containing PTR records for addresses in the IPv4 space. Malicious data set Domains for Storm, Kraken, Pushdo, etc., obtained from Botlab. PAGE 10

Results Per-domain analysis K-L divergence Jaccard Index Similarly, edit distance also performs reasonably well: With 500 test words, TPR: 100% for 8% FPR. PAGE 11

Results Per-component analysis Applied a supervised learning approach. Used L1-Regularization algorithm for classification. Used three features: K-L divergence for unigrams, Jaccard index, Edit distance Training based on one malicious (Conficker) component and remaining benign components. PAGE 12

Results Per-component analysis Outcome: Detected Conficker. Discovered the presence of Helldark botnet. Discovered a new botnet, we call, Mjuyh. 57-character long fourth level domain composed of random characters. One domain maps to 10 IP addresses. PAGE 13

Take Away Domain-fluxing botnets utilize high-entropy domain names. We deploy metrics such as Kullback- Leibler divergence, Jaccard index, and Edit distance for detecting such botnets. In addition to detecting known botnets, we discover new botnets. PAGE 14

Thank You Sandeep Yadav, Texas A&M University IT Security for the Next Generation American Cup, New York 9-11 November, 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information