January 21, 2020

381 words 2 mins read

A DGA Odyssey: Passive DNS Driven DGA Analysis

A DGA Odyssey: Passive DNS Driven DGA Analysis

Domain Generation Algorithm (DGA) techniques have been commonly used by bot-masters to evade detection, which dynamically produce quantities of seemingly random do …
Talk Title A DGA Odyssey: Passive DNS Driven DGA Analysis
Speakers Yiming Gong, Qitian Su, Zaifeng Zhang
Conference NANOG71
Conf Tag
Location San Jose, CA
Date Oct 2 2017 - Oct 4 2017
URL Talk Page
Slides Talk Slides
Video Talk Video

Domain Generation Algorithm (DGA) techniques have been commonly used by bot-masters to evade detection, which dynamically produce quantities of seemingly random domain names but only a few of them are selected as command and control (C&C) domains. Such technique makes the detection more difficult. To block these DGA domains, we need to find them early and identify them effectively. In this talk, we will share our DGA tracking experience based on passiveDNS and malware sandbox database. Starting from billions of PDNS records, we first extract highly suspicious DGA domains with a clustering algorithm. Then to identify the generation algorithms and seeds behind these domains, we use malware sandbox data to locate the malware samples. In the end, we have identify 36 families. Their corresponding DGA domain feeds can be freely accessed from http://data.netlab.360.com/dga. Our talk are divided into four parts:

  1. The DGA families we detected 36 DGA botnet families under track will be show in this part, as well as their activity stat in China.
  2. From the PDNS records to suspicious DGA domains It is a great challenge to identify millions of suspicious active DGA domains from billions of passiveDNS data. To address this problem, we utilize our Long Tail Cluster Algorithms (LTCA) to help to extract highly suspicious DGA domains. We will introduce the details of data cleaning and aggregation in this part.
  3. From suspicious DGA domains to malware samples Once we discover highly suspicious DGA domains, we need to locate the corresponding malware samples to further identify the corresponding generation algorithms and the seed. We use malware sandbox to bridge this gap. In this part, we will introduce our techniques, like time window difference, and others.
  4. Practical blocking experience Due to the complexity of DNS, this DGA blacklist may still suffer from both false positive and false negative in practice. Here we will introduce some practical cases we encountered and how we solve them.
dns algorithm botnet complexity database tracking cluster
comments powered by Disqus
Unraveling data with Spark using deep learning and other algorithms from machine learning

Unraveling data with Spark using deep learning and other algorithms from machine learning

December 28, 2019

Vartika Singh and Jeffrey Shmain walk you through various approaches using the machine learning algorithms available in Spark ML to understand and decipher meaningful patterns in real-world data. Vartika and Jeff also demonstrate how to leverage open source deep learning frameworks to run classification problems on image and text datasets leveraging Spark.
How Shutterfly migrated 10+ billion photos to the cloud

How Shutterfly migrated 10+ billion photos to the cloud

December 15, 2019

Jack Chan describes how Shutterfly migrated metadata from over 10B photos from a private data center into AWS in 100 days and explores designs to absorb mountains of metadata, on-premises ecommerce integration, and parallel user experiences, all in a highly scalable fashion. Shutterfly Photos is now a hybrid cloud solution with images hosted on-premises and client-facing photos metadata on AWS.
Big data computations: Comparing Apache HAWQ, Druid, and GPU databases

Big data computations: Comparing Apache HAWQ, Druid, and GPU databases

December 5, 2019

The class of big data computations known as distributed merge trees was built to aggregate user information across multiple data sources in the media domain. Vijay Srinivas Agneeswaran explores prototypes built on top of Apache HAWQ, Druid, and Kinetica, one of the open source GPU databases. Results show that Kinetica on a single G2.8x node outperformed clusters of HAWQ and Druid nodes.
Modern Big Data Pipelines over Kubernetes [I]

Modern Big Data Pipelines over Kubernetes [I]

December 3, 2019

Big data used to be synonymous with Hadoop, but our ecosystem has evolved over time with new database, streaming and machine learning solutions which dont necessarily benefit from the Hadoop deployme …
Rethinking stream processing with Apache Kafka: Applications versus clusters and streams versus databases

Rethinking stream processing with Apache Kafka: Applications versus clusters and streams versus databases

November 30, 2019

Michael Noll explains how Apache Kafka helps you radically simplify your data processing architectures by building normal applications to serve your real-time processing needs rather than building clusters or similar special-purpose infrastructurewhile still benefiting from properties typically associated exclusively with cluster technologies.
Overview of ICANN Identifier Technologies Health Indicator (ITHI) Project

Overview of ICANN Identifier Technologies Health Indicator (ITHI) Project

January 21, 2020

This talk could be either in the General Session or the DNS track. We would like to a submit a presentation on the ITHI project at ICANN. See details at http://www …