Melting the Snow Using Active DNS Measurements to Detect Snowshoe - - PowerPoint PPT Presentation

melting the snow
SMART_READER_LITE
LIVE PREVIEW

Melting the Snow Using Active DNS Measurements to Detect Snowshoe - - PowerPoint PPT Presentation

Sep 24, 2022 538 likes •1.46k views

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn February 1, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

slide-1
SLIDE 1

Melting the Snow

Using Active DNS Measurements to Detect Snowshoe Spam Domains

Olivier van der Toorn February 1, 2018

University of Twente, Design and Analysis of Communication Systems

slide-2
SLIDE 2

Introduction

Olivier

1

@lordievader:corellian.student.utwente.nl

  • .i.vandertoorn@utwente.nl
slide-3
SLIDE 3

2

Introduction

Olivier

slide-4
SLIDE 4

3

Introduction

Olivier

DIARY DIARY DIARY DIARY

slide-5
SLIDE 5

4

Introduction

Olivier

We hypothesize that the use of active DNS measurements is a good way to detect snowshoe spam domains.

slide-6
SLIDE 6

4

Introduction

Olivier

How can we detect snowshoe spam domains through the use of active DNS measurements?

slide-7
SLIDE 7

4

Introduction

Olivier

Are we able to automate the detection

  • f snowshoe spam domains?
slide-8
SLIDE 8

4

Introduction

Olivier

What are the advantages of this approach over other approaches?

slide-9
SLIDE 9

4

Introduction

Olivier

What are the advantages of this approach over other approaches? How large is the time advantage of this approach?

slide-10
SLIDE 10

4

Introduction

Olivier

What are the advantages of this approach over other approaches? How large is the time advantage of this approach? How much more spam is blocked because of this method?

slide-11
SLIDE 11

Overview

5

slide-12
SLIDE 12

Black box

6

Overview

slide-13
SLIDE 13

Box of domains Black box

7

Overview

slide-14
SLIDE 14

Box of domains Notepad Black box

7

Overview

slide-15
SLIDE 15

A Closer Look

8

slide-16
SLIDE 16

Box of domains Notepad Black box

9

A Closer Look

slide-17
SLIDE 17

Box of domains Notepad Machine Learning

9

A Closer Look

slide-18
SLIDE 18

Box of domains Notepad Machine Learning

9

A Closer Look

slide-19
SLIDE 19

Notepad Machine Learning OpenINTEL

9

A Closer Look

slide-20
SLIDE 20

Notepad Machine Learning OpenINTEL

9

A Closer Look

slide-21
SLIDE 21

Realtime Blackhole List (RBL) Machine Learning OpenINTEL

9

A Closer Look

slide-22
SLIDE 22

Realtime Blackhole List (RBL) Machine Learning OpenINTEL

9

A Closer Look

slide-23
SLIDE 23

Realtime Blackhole List (RBL) SURFmailfilter Machine Learning OpenINTEL

9

A Closer Look

slide-24
SLIDE 24

OpenINTEL

10

slide-25
SLIDE 25

11

OpenINTEL

slide-26
SLIDE 26

A dataset A labeled dataset OpenINTEL

12

OpenINTEL

slide-27
SLIDE 27

long The tail of the DNS

13

OpenINTEL

slide-28
SLIDE 28

long

The tail of the DNS

13

OpenINTEL

slide-29
SLIDE 29

long

97% 98% 99% 99.9%

The tail of the DNS

13

OpenINTEL

slide-30
SLIDE 30

10 20 30 40 50 40% 60% 80% 100%

11.2 16.6

Number of A records CDF positives negatives

20 40 60 80 100 90% 92% 94% 96% 98% 100%

77.0

Number of MX records CDF positives negatives

14

OpenINTEL

slide-31
SLIDE 31

Machine Learning

15

slide-32
SLIDE 32

16

Machine Learning

slide-33
SLIDE 33

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-34
SLIDE 34

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-35
SLIDE 35

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-36
SLIDE 36

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-37
SLIDE 37

Spam Ham Type TP FN FP TN SVC 13449 1081 2339 8512 GaussianNB 13330 1200 2075 8776 RadiusNeighborsClassifier 13318 1212 2367 8484 BernoulliNB 12995 1535 2507 8344 GradientBoostingClassifier 12645 1885 9605 1246 MultinomialNB 12179 2351 1397 9454 RandomForestClassifier 11156 3374 1488 9363 MLPClassifier 7273 7257 707 10144 DecisionTreeClassifier 6279 8251 695 10156 AdaBoostClassifier 5971 8559 164 10687 KNeighborsClassifier 4562 9968 676 10175 SGDClassifier 3599 10931 674 10177

17

Machine Learning

slide-38
SLIDE 38

Precision = True Positives True Positives + False Positives

18

Machine Learning

slide-39
SLIDE 39

Spam Ham Type TP FN FP TN Precision SVC 13449 1081 2339 8512 85.18% GaussianNB 13330 1200 2075 8776 86.53% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% AdaBoostClassifier 5971 8559 164 10687 97.32% KNeighborsClassifier 4562 9968 676 10175 87.09% SGDClassifier 3599 10931 674 10177 84.22%

19

Machine Learning

slide-40
SLIDE 40

Spam Ham Type TP FN FP TN Precision AdaBoostClassifier Improved 6688 7842 110 10741 98.38% AdaBoostClassifier 5971 8559 164 10687 97.32% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% KNeighborsClassifier 4562 9968 676 10175 87.09% GaussianNB 13330 1200 2075 8776 86.53% SVC 13449 1081 2339 8512 85.18% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% SGDClassifier 3599 10931 674 10177 84.22% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83%

20

Machine Learning

slide-41
SLIDE 41

Spam Ham Type TP FN FP TN Precision AdaBoostClassifier Improved 6688 7842 110 10741 98.38% AdaBoostClassifier 5971 8559 164 10687 97.32% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% KNeighborsClassifier 4562 9968 676 10175 87.09% GaussianNB 13330 1200 2075 8776 86.53% SVC 13449 1081 2339 8512 85.18% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% SGDClassifier 3599 10931 674 10177 84.22% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83%

20

Machine Learning

slide-42
SLIDE 42

Spam Ham Type TP FN FP TN Precision AdaBoostClassifier Improved 6688 7842 110 10741 98.38% AdaBoostClassifier 5971 8559 164 10687 97.32% MLPClassifier 7273 7257 707 10144 91.14% DecisionTreeClassifier 6279 8251 695 10156 90.03% MultinomialNB 12179 2351 1397 9454 89.70% RandomForestClassifier 11156 3374 1488 9363 88.23% KNeighborsClassifier 4562 9968 676 10175 87.09% GaussianNB 13330 1200 2075 8776 86.53% SVC 13449 1081 2339 8512 85.18% RadiusNeighborsClassifier 13318 1212 2367 8484 84.90% SGDClassifier 3599 10931 674 10177 84.22% BernoulliNB 12995 1535 2507 8344 83.82% GradientBoostingClassifier 12645 1885 9605 1246 56.83%

21

Machine Learning

slide-43
SLIDE 43

Realtime Blackhole List (RBL)

22

slide-44
SLIDE 44

23

Realtime Blackhole List (RBL) 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-45
SLIDE 45

23

Realtime Blackhole List (RBL) 28984 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-46
SLIDE 46

23

Realtime Blackhole List (RBL) 28984 1961 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-47
SLIDE 47

23

Realtime Blackhole List (RBL) 28984 1961 1144 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-48
SLIDE 48

23

Realtime Blackhole List (RBL) 28984 1961 1144 1095 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-49
SLIDE 49

23

Realtime Blackhole List (RBL) 28984 1961 1144 1095 968 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-50
SLIDE 50

23

Realtime Blackhole List (RBL) 28984 1961 1144 1095 968 928 10 20 30 40 50 60 70 80 Detection in advance (days) 1 10 100 1000 10000 100000 Number of detected domains

slide-51
SLIDE 51
  • 112137 domains in total
  • 57724 domains have been detected one day (or less) in advance
  • 6710 domains have been detected two days (or more) in advance
  • 47703 domains have been detected and never blacklisted

24

Realtime Blackhole List (RBL) Detection in advance (days) Number of detected domains 20 40 60 80 100 120 140 160 180 1 10 100 1000 10000 100000

slide-52
SLIDE 52
  • 112137 domains in total
  • 57724 domains have been detected one day (or less) in advance
  • 6710 domains have been detected two days (or more) in advance
  • 47703 domains have been detected and never blacklisted

24

Realtime Blackhole List (RBL) Detection in advance (days) Number of detected domains 20 40 60 80 100 120 140 160 180 1 10 100 1000 10000 100000

slide-53
SLIDE 53
  • 112137 domains in total
  • 57724 domains have been detected one day (or less) in advance
  • 6710 domains have been detected two days (or more) in advance
  • 47703 domains have been detected and never blacklisted

24

Realtime Blackhole List (RBL) Detection in advance (days) Number of detected domains 20 40 60 80 100 120 140 160 180 1 10 100 1000 10000 100000

slide-54
SLIDE 54
  • 112137 domains in total
  • 57724 domains have been detected one day (or less) in advance
  • 6710 domains have been detected two days (or more) in advance
  • 47703 domains have been detected and never blacklisted

24

Realtime Blackhole List (RBL) Detection in advance (days) Number of detected domains 20 40 60 80 100 120 140 160 180 1 10 100 1000 10000 100000

slide-55
SLIDE 55
  • 112137 domains in total
  • 57724 domains have been detected one day (or less) in advance
  • 6710 domains have been detected two days (or more) in advance
  • 47703 domains have been detected and never blacklisted

24

Realtime Blackhole List (RBL) Detection in advance (days) Number of detected domains 20 40 60 80 100 120 140 160 180 1 10 100 1000 10000 100000

slide-56
SLIDE 56

SURFmailfilter

25

slide-57
SLIDE 57

26

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

slide-58
SLIDE 58

27

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

slide-59
SLIDE 59

28

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-60
SLIDE 60
  • 20 domains
  • 14 (70.00%) domains have an average score of five or higher
  • 1188 emails

29

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-61
SLIDE 61
  • 20 domains
  • 14 (70.00%) domains have an average score of five or higher
  • 1188 emails

29

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-62
SLIDE 62
  • 20 domains
  • 14 (70.00%) domains have an average score of five or higher
  • 1188 emails

29

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-63
SLIDE 63
  • 20 domains
  • 14 (70.00%) domains have an average score of five or higher
  • 1188 emails

29

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-64
SLIDE 64
  • 29 domains
  • 21 (72.41%) domains have an average score of five or higher
  • 448 emails

30

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-65
SLIDE 65
  • 29 domains
  • 21 (72.41%) domains have an average score of five or higher
  • 448 emails

30

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-66
SLIDE 66
  • 29 domains
  • 21 (72.41%) domains have an average score of five or higher
  • 448 emails

30

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-67
SLIDE 67
  • 29 domains
  • 21 (72.41%) domains have an average score of five or higher
  • 448 emails

30

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-68
SLIDE 68
  • 64 domains
  • 39 (60.93%) domains have an average score of five or higher
  • 1006 emails

31

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-69
SLIDE 69
  • 64 domains
  • 39 (60.93%) domains have an average score of five or higher
  • 1006 emails

31

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-70
SLIDE 70
  • 64 domains
  • 39 (60.93%) domains have an average score of five or higher
  • 1006 emails

31

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-71
SLIDE 71
  • 64 domains
  • 39 (60.93%) domains have an average score of five or higher
  • 1006 emails

31

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-72
SLIDE 72
  • 1080 emails
  • 447 (41.39%) have a score of five or higher

32

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-73
SLIDE 73
  • 1080 emails
  • 447 (41.39%) have a score of five or higher

32

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-74
SLIDE 74
  • 1080 emails
  • 447 (41.39%) have a score of five or higher

32

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-75
SLIDE 75
  • 633 have a score below five
  • counting 52 unique domains
  • 13 of these never appear in an email scoring above five

33

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-76
SLIDE 76
  • 633 have a score below five
  • counting 52 unique domains
  • 13 of these never appear in an email scoring above five

33

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-77
SLIDE 77
  • 633 have a score below five
  • counting 52 unique domains
  • 13 of these never appear in an email scoring above five

33

SURFmailfilter 2017-05-24 2017-06-23 2017-07-23 Observation dates daadzgam.com realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com Domain names

Blacklisted Detected

slide-78
SLIDE 78

34

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

slide-79
SLIDE 79

34

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120

slide-80
SLIDE 80

34

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335

slide-81
SLIDE 81

34

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335 352 441

slide-82
SLIDE 82

34

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335 352 441 497 554

slide-83
SLIDE 83

34

SURFmailfilter 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 100 200 300 400 500 600 700 Emails marked as spam

22 120 320 335 352 441 497 554 626 629

slide-84
SLIDE 84

34

SURFmailfilter

slide-85
SLIDE 85

Conclusions

35

slide-86
SLIDE 86

36

Conclusions What is the advantage of proactive snowshoe spam domain detection using DNS data?

slide-87
SLIDE 87

37

Conclusions

slide-88
SLIDE 88

38

Conclusions

  • .i.vandertoorn@utwente.nl
slide-89
SLIDE 89

39

slide-90
SLIDE 90

40

?