Beyond lexical and PDNS: using signals on graphs to uncover online threats at scale

Friday 6 October 14:00 - 14:30, Red room

Dhia Mahjoub (Cisco Umbrella (OpenDNS))
David Rodriguez (Cisco Umbrella (OpenDNS))

Botnet domains at their core aren't necessarily lexical nor defined by query volume. Botnets are graph-based. From a sequence of DNS graphs, one can mine subgraphs distinctive of botnets spreading malware, harvesting credentials, or delivering DDoS attacks to cripple high-value online assets.

Typical methods for detecting botnets using DNS leverage either 1) lexical characteristics of domain names (n-gram entropy, perplexity), or 2) traffic and static graph properties (measuring burst in query volumes and similarity of inter-client traffic, respectively). These insights build on the characteristic of algorithmically generated domains (AGDs) but miss the temporal nature of machines surfing the internet: i.e. graphs change from one time window to the next.

In this talk, we propose a novel method unifying the interactions between client machines, hostnames and hosting IPs by building a tripartite graph consisting of tens of millions of vertices and edges. We then propose methods to represent a sequence of graphs as signals to be mined in order to detect botnet attacks and online threats in general.

As our first use case, we ignore the lexical and move beyond traditional degree and centrality graph metrics. Instead, we pair client machines to hostnames and reveal that the trademark of a bot in a botnet is three things: 1) the variety of hostnames it queries, 2) the popularity of the hostnames, and 3) the frequency with which the bot repeats itself. Using Hadoop technologies, we show that these signals are scalable (to the millions) and distinguish Necurs, Conficker, Suppobox, PykSpa, and more.

In our second use case, we tackle the difficult task of predicting the number of domains within a family of AGDs. Introducing a measure involving the popularity of domains and repetition of a bot, we can approximate the number of domains an ideal classifier should catch.

We also show how we combine botnet detection derived from monitoring hosting IP space, e.g. fast flux with detection based on infected clients' behaviour. This provides a unified model to track botnet threats. In closing, we’ll explain how to monitor these threats using various forms of cohort analysis and analysis of variance techniques.

This talk will be very useful to data analysts and security researchers as our new methods proved to be very efficient and scalable at uncovering internet-scale trends and tracking highly dispersed and massive threats.




Dhia Mahjoub

Dr Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large-scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a Ph.D. in graph algorithms applied on Wireless Sensor Networks problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC, and Les Assises de la sécurité.




David Rodriguez

David Rodriguez is a security researcher and data scientist at Cisco Umbrella (OpenDNS). He has co-authored multiple pending patents with Cisco in distributed machine learning applications centred around deep learning and behavioural analytics. He has an M.A. in mathematics from San Francisco State University and previously worked at Location Labs by Avast and Esurance. David has spoken at SAI Computing Conference 2016, Black Hat 2017, and at Data Science meetups in the Bay Area.

   Read paper    Watch video






Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.