• Aucun résultat trouvé

DNSSM: A Large Scale Passive DNS Security Monitoring Framework

N/A
N/A
Info
Télécharger
Protected

Academic year: 2021

Partager "DNSSM: A Large Scale Passive DNS Security Monitoring Framework"

Copied!
18
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

DNSSM: A Large Scale Passive

DNS Security Monitoring

Framework

Samuel Marchal, J´

erˆ

ome Fran¸cois, Cynthia Wagner,

Radu State, Alexandre Dulaunoy, Thomas Engel,

(2)

Outline

1

Motivation

2

Solution

(3)

Outline

1

Motivation

2

Solution

3

Experiments and Results

(4)

Overview of DNS

I

DNS (Domain Name System) is the service that maps

a domain name to its associated IP addresses

www.example.com =⇒ 123.45.6.78

I

DNS is the service that allows to find information

about a domain :

I A : IPv4 address I AAAA : IPv6 address I MX : Mail server

(5)

Why DNS monitoring ?

I

DNS:

I critical Internet service

I threats: cache poisoning, typosquatting, DNS tunnelling, fast/double-flux

⇒ enhance: phishing, botnet C&C communications, covered channel communications etc.

⇒ Patterns in DNS packet fields and DNS querying

behavior

I

Passive DNS monitoring to detect:

I worminfected hosts

I malicious backdoor communication I botnet participating hosts

(6)

Existing solutions

I

Mainly use supervised classification techniques

I SVM, tree, rules, etc.

I require malicious data for training

I

Targeted identification of malicious domains

I C&C communication involved domains I Phishing domains

(7)

Outline

1

Motivation

2

Solution

3

Experiments and Results

(8)

Clustering

Automated clustering technique for online analysis

I

No previous knowledge

I

Group domains regarding their activity

I

DNS information ⇒ Domain activity

I

Disclose the raise of new threats

I

K-means clustering

(9)

Features

For each domain observed:

I

Number of IP addresses

I

IP scattering : entropy based and position weighted

I

mean TTL

I

Requests count

(10)

User interface

DNSSM is an approach for automated analysis of DNS

(passive traffic)

I

Manual assistance in tracking anomalies:

I Feed with cap file

I All DNS packet fields extracted I MySQL database storage model I Web interface

I Fast and efficient mining functions

I Integrates with existing blacklist tools to assist in tagging data

I Detection of fast/double flux domains, DNS tunnelling, etc. I Freely downloadable at:

(11)
(12)

Outline

1

Motivation

2

Solution

3

Experiments and Results

(13)

Experiments

I 2 datasets (6= location, 6= type of network, 6= users, 6= quantity) I Automatic results from k-means: 8 clusters exhibiting different

properties

I Cluster 5: apple.com, amazon.fr, adobe.com(highly popular

(14)

Results

I Cluster 6: google.com. skype.com, facebook.com (higly popular web sites)

(15)

Results

(16)

Outline

1

Motivation

2

Solution

3

Experiments and Results

(17)

Conclusion

I

Passive DNS monitoring solution

I Analysis of domain names activity

I Relevant data mining algorithm (unsupervised clustering techniques)

I Efficiency proved on two different datasets I Freely downloadable interface

I

Applications:

I Investigate cyber security fraud I Debug DNS deployment

(18)

DNSSM: A Large Scale Passive

DNS Security Monitoring

Framework

Samuel Marchal, J´

erˆ

ome Fran¸cois, Cynthia Wagner,

Radu State, Alexandre Dulaunoy, Thomas Engel,

Références

Télécharger maintenant ( PDF - 18 Page - 1.47 MB )

Documents relatifs

Complexit´e Fran¸cois Schwarzentruber 5 septembre 2020

[r]

ALGO1 – Parcours en profondeur Fran¸cois Schwarzentruber February 7, 2021

si s est une position gagnante pour le joueur i retourner vrai si s est une position perdante pour le joueur i retourner faux pour tout coup de s → t faire.. si

Ces deux exercices sont issus du livre d’exercices de Fran¸ cois Husson et de J´ erˆ ome Pag` es intitul´ e Statistiques g´ en´ erales pour utilisateurs, ´ editions PUR.

Cela signifie qu’aucun des jurys ne met en moyenne des notes plus ´ elev´ ees (pas d’effet jury), et que les biscuits sont en moyenne autant appr´ eci´ es que les biscuits

DNS and Security?

DNS and Security - Quick Workshop Bibliography Q and A Domain Name Space and Structure.. Domain Name Space and

How to build a scalable passive DNS using a key/value data structure ”designed” in 5 minutes Alexandre Dulaunoy February 17, 2012

• I hate large piece of code, the implementation must be modular and having less than 5K LOC (↓ trash and rewrite cost). • I hate those bloody legal documents, we keep only the

DNS and Security?

DNS and Security - Quick Workshop dnscap Bibliography Q and A Domain Name Space and Structure.. Domain Name Space and

DNS and Security?

JSON String or an array of string if more than one unique triple time first : first time that the resource record triple (rrname, rrtype, rdata) was seen. time last : last time that

Forensic Analysis The Treachery of Images Alexandre Dulaunoy

Forensic Analysis - Theory - The Order of Volatility OOV The expected life of data : Type of Data Life Span Registers or cache Nanoseconds Main Memory Ten Nanoseconds Network