View
1
Download
0
Category
Preview:
Citation preview
SIDEKICKSuspicious Domain Classification
Master Thesisat SIDN
by Moritz Mueller
2015-08-14 2
Agenda
● Misuse of Domain Names
● Malicious domains in .nl
● Malicious Domain Characteristics
● What does SIDEKICK do?
● Outlook
Misuse of Domain Names
2015-08-14 4
Redirection, Exploitation, Infection
redirect 3
redirect 2init.nl
redirect 121
infection.nl
3
Exploit Kit Infection Chain
2015-08-14 5
Command and Control
C&C Address Resolution and Communication
2015-08-14 6
Motivation for SIDN
TRUST
REPUTATION
OVERAL INTERNET SECURITY
2015-08-14 7
Phishing
Age of .nl phishing domains
one week or younger
between one week and one year
one year or older
1.923 domains
2015-08-14 8
Botnets
Known Botnet Domains
Sinkhole
Quarantainenet
Other Sources
82 domains
2015-08-14 9
Malicious Domain Characteristics
2015-08-14 10
Geographic Characteristics
95,5 % Dutch registrants
88,5 % Dutch content
2015-08-14 11
Query Origin
US NL RU DE CN GB FR BE BR CA TW IT PL IE JP ES CZ IN HK UA AU FI TR0%
5%
10%
15%
20%
25%
30%
Benign .nl Domains
2015-08-14 12
Query Origin
US NL RU DE CN GB FR BE BR CA TW IT PL IE JP ES CZ IN HK UA AU FI TR0%
5%
10%
15%
20%
25%
30%
Andromeda DomainsBenign .nl Domains
2015-08-14 13
Query Frequency
2015-05-01 2015-05-310
100000
200000
300000
400000
Date
Qu
eri
es
Popular .nl domains
2015-08-14 14
Query Frequency
Date
Qu
eri
es
Flashback-Botnet domains
0
500
1000
1500
2000
2014-11-20 2014-12-19
2015-08-14 15
2015-05-01 2015-05-310
100
200
300
Query FrequencyQ
ueri
es
Unpopular .nl domains
Date
2015-08-14 16
Query FrequencyQ
ueri
es
0
100
200
Day
New benign domains
2015-08-14 17
Query FrequencyQ
ueri
es
0
100
200
Day
New phishing domainsNew benign domains
2015-08-14 18
MedianMean
In Quarantine Free0
10
20
30
Domains in QuarantineQ
ueri
es
2015-08-14 19
Catching Bad Domains With SIDEKICK sksk
2015-08-14 20
General Approach
xyz.nl 789.nl
opq.nl
Geo Peak Growth
123.nl ijk.nl
abc.nl
Geo Peak Growth ukn.nl
?
Training Classification
Good1 2 4
3
2015-08-14 21
General Approach
xyz.nl 789.nl
opq.nl
Geo Peak Growth
123.nl ijk.nl
abc.nl
Geo Peak Growth ukn.nl
?
Training Classification
Good1 2 4
3
2015-08-14 22
SIDEKICK ArchitectureNew Domains
● 61.000 Domains classified
● 33 Malicious domains detected
● False Positive Rate 0,3 %
More domains detected than by
professional Phishing Feed
2015-08-14 23
SIDEKICK ArchitectureOld Domains
● 1,7 Million Domains Classified
● 14.000 Malicious domains detected
Can't verify suspicious domains
2015-08-14 24
Next Steps
2015-08-14 25
Improvements
● Early Detection
● Additional Features
● Non-DNS-related sources (Social Media,
Search Engines, CMS and Webserver)
● EDNS Client Subnet Extension
● Resolver Reputation
2015-08-14 26
Outlook
● Post Detection
– Block Content
● Google Safe Browsing, Netcraft
– Notify (Registrant, Registrar, Web-Hosting-Firm)
● Post Suspicion
– Cooperation
2015-08-14 27
SIDEKICK
Thank You For Your Attention
● Based on geographic
location and query
patterns
● Effective detection of
new domains
● Detection of suspicious
compromised domains sk
Recommended