VB2014 preview: Design to discover: security analytics with 3D visualization engine

Posted by   Virus Bulletin on   Aug 29, 2014

Thibault Reuille and Dhia Mahjoub use particle physics to shows clusters of malicious domains.

In the weeks running up to VB2014 (the 24th Virus Bulletin International Conference), we will look at some of the research that will be presented at the event. Today, we look at the paper 'Design to discover: security analytics with 3D visualization engine', by Thibault Reuille (@ThibaultReuille) and Dhia Mahjoub (@DhiaLite), security researchers at OpenDNS.

Whatever you think of the term 'big data', the fact is that there is a lot of data out there, and this can provide useful information that wouldn't otherwise be available. Recommendations for books and films based on what others with a similar taste have read or watched are a well-known and widely used example of this.

In the first part of their paper (which they wrote together with their colleague Ping Yan), Thibault and Dhia apply this idea to command and control domains for botnets, in particular the CryptoLocker ransomware. By analysing a large amount of DNS data — which no doubt they see a lot of at OpenDNS — they were able to identify all of the domains the malware connected to based on only a few known C&C domains and without reverse-engineering the DGA algorithm or analysing the content of the connections.

Thibault and Dhia have told me that, during their presentation at VB2014, they will do the same for the 'GameOver Zeus' botnet, the subject of a prominent takedown, followed by a just as spectacular revival, recently.

Most botnet authors go to great lengths to make sure the communication between malware and control server doesn't stand out among other network traffic on the same connection. However, by combining data from a very large number of connections at once, patterns start to appear, which can help a great deal in detecting, understanding and fighting botnets.

In the second part of the paper, Thibault and Dhia use this to visualize patterns in 3D. Interestingly, they use a model from particle physics for their visualization: in their model, every domain is a node and every connection between two domains is an edge, with a force occurring between the nodes: if the two domains are connected (i.e. tend to co-occur), they attract each other, and if they aren't, they repulse each other.


  Fireworks? Actually, it is a 3D visualization of clusters of malicious domains.

This gives a three-dimensional 'Security Graph', where botnets quickly appear as clusters. This visualization will help researchers in understanding a botnet, while it can also show the seriousness of threats, for instance to law enforcement agencies.

Also at VB2014, Dhia will present the paper 'Sweeping the IP space: the hunt for evil on the Internet', on finding malicious nodes on the AS graph. If you have an interest in discovering malicious domains, make sure you also attend the presentation We know it before you do: predicting malicious domains, by Palo Alto Networks researchers Wei Xu, Yanxin Zhang and Kyle Sanders.

Registration for VB2014 is still open.

Posted on 29 August 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.