SlideShare a Scribd company logo

[CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi

CODE BLUE
CODE BLUE

Cyber security has been a game of cat-and-mouse recently. Adversaries create techniques for evading detection, then defensive researchers struggle to analyze the evasion and develop detection techniques. However, the adversaries come to identify the detection, then repeatedly create next evasive techniques. The defensive researchers have been in an overwhelming disadvantage situation. Under such the situation, are the developed detection techniques not available if the adversaries identify? That's not true. Adversaries have intention for their activity. Their purpose is often business, then their funds and selected techniques depend on targets, like a particular organization or clients with low security literacy. All adversaries do not always use state-of-the-art techniques. In short, there are differences of clues between targeted attacks and broad ones. SOC operators are always busy coping with a various kind of attacks, then difficult to deal with all alerts. They have to set priority of alerts, sometimes explain the reason why the alerts occur for management or responsible person. They have overwork because of limited time. We aim to enable SOC operators to reduce tasks related to explanations for alerts. We have developed a method for identifying attack types with explainable diagnosis by taking advantage of advanced adversary's evasive behavior. In addition to differences between legitimate and malicious behavior, we learn from comparison of targeted attacks and broad ones. This learning is a basis for explainable detection of attack types for unidentified domains. In this presentation, we will show that advanced adversaries rarely leave traces which defensive researchers are easy to detect then compare traces of targeted attacks with ones of broad attacks. For unidentified domains, we will demonstrate that our system identifies attack types with explainable diagnosis.

1 of 33
Download to read offline
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Explainable Malicious Domain Diagnosis 0 CODE BLUE 2020 Track 2 (October 30th , 2020) FUJITSU SYSTEM INTEGRATION LABORATORIES LTD. Tsuyoshi TANIGUCHI
Tsuyoshi TANIGUCHI ◼ Fujitsu System Integration Laboratories Researcher, Ph.D. ◼ Mar. 2008 - Hokkaido University Ph.D. (computer science) ◼ Apr. 2008 - Researcher, FUJITSU ◼ Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD ◼ Speaker CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track CODE BLUE 2018 Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED1
Research Overview Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Learning from existing threat intel. Current situation recognition Stock-taking Trend analysis Proactive defense Indicator Learning CODE BLUE 2017 Day0 Indicator Diagnosis CODE BLUE 2018 Explainable Malicious Domain Diagnosis CODE BLUE 2020 Threat intelligence Contrast set mining Active + Passive DNS WHOIS history Treasure hunting among a lot of threat intel. Toward “Explainable” Indicators known -> unknown Distinction of long- term targeted attacksTechnique, data 2
Principle of “Explainable” Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Legitimate Long-term malicious ⋯ Registration Registered decades ago, then continue to update Name server 1 Name server 2 Name server Short-term malicious Stable operation of name servers Recently registered, disposable before expiration Short-term change in a case of large-scale spam attack Registrar 1 Registrar 3Registrar 2 Unnatural change of registrars Comparison of detection viewpoints Take advantage of evasive behavior Malicious detection Registration Name server Registration Name server 3
Future Goal ◼ SOC support by explainable malicious domain diagnosis ◼ Work saving of explanation tasks when SOC operators cope with alerts Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Explainable maliciousdomain diagnosis • Results of malicious detection • Detection viewpoints • Estimated attack types List of unknown domains Learning Results (Reasoning for explanation) Explanation for management SOC Operators 4
System Overview Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED DNSDB API (curl)Passive DNS Dashboard input • Legitimate domains • Malicious domains for short-term attacks • Malicious domains for targeted attacks Lookup Analyzer Registration Analyzer WHOIS history PassiveTotal API (curl) GeoIP Analyzer IP Geolocation GeoLite2 MySQL Diagnosis DB Metabase API output Visualization (BI tool) Explainable Learning & DiagnosisUnknow domains input 5
Data Sources ◼ Farsight Security – DNSDB ◼ https://www.dnsdb.info ◼ RiskIQ – PassiveTotal ◼ https://www.riskiq.com/products/passivetotal/ ◼ MaxMind - GeoLite2 ◼ https://dev.maxmind.com/geoip/geoip2/geolite2/ ◼ Metabase ◼ https://www.metabase.com/ ◼ Alexa Web Information Company ◼ https://www.alexa.com/topsites Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED6
Differences between Registration and Lookup Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED domain ns TLD IP ns SLD IP domain domain ⋯ zone IP IP IP example.jp IN NS ns1.example.jp ns1.example.jp IN A 1.2.3.4 host1.example.jp IN A 5.6.7.8 registrar registryRegistration application Caching DNS server Client Query (lookup) ns: name server host1.example.jp 5.6.7.8 Lookup is not always conducted soon after registration 7
Forensics based on Histories of Registration and Lookup Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Registration history Lookup history Registration Update First seenLegitimate Update Last seen Registration history Lookup history Registration Expiration First seen Last seen (before expiration) Registration history Lookup history Registration Expiration First seen Last seen Disposable Lookup Delay Spam, Fast-Flux Behavior for Brand protection Registrationterm: a year, two years, five years, and so on,not operate during all terms delay 8
Malicious Detection of Long-term Attacks Based on Unnatural Registration Change Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Registration history Lookup history Registration Expiration First seen Last seen Registration history Lookup history Registration First seen Last seen Disposable Unnatural registration change RegistrationExpiration Expiration First seen Last seen Short-term Long-term Short term malicious: drop catch Not legitimate behavior: expiration 9
Demonstration 1. Can we detect malicious behavior from well known viewpoint in cyber security for targeted attacks? 2. Do all-purpose detectable viewpoints for all malicious behavior exist? 3. Explainable malicious domain diagnosis for unknown domains Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED10
Summary of Learning Data ◼ Targeted: Three campaigns targeting Japan ◼ Short-term: famous campaigns regarding botnet, spam, ransomware Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Type Campaign domains Data sources Period Legitimate 50 Alexa (top 50, Jun. 23rd ,2020) - Targeted BlackTech 40 JPCERT (Mar. 1st, May 28th ,2018, Oct. 23rd ,2019, Feb. 26th, 2020), LAC (Apr. 25th, 2018) 2012 - DarkHotel 17 OTX (May 9th, 29th, Jun. 24th, 2019) 2007 - Gamaredon 19 Trend Micro (Mar. 30th, 2020) 2013 - Short- term Goznym 365 Talos Blog, Cisco (Mar. 6th, 2018) 2016 to May 2019 Necurs 243 Talos Blog, Cisco (Jan. 18th, 2018) 2012 to (Mar. 2020) Cerber 1305 Ransomware Tracker (Closed) 2016 to Dec. 2017 Locky 214 2016 to 2017 11
Demonstration 1 ◼ Can we detect malicious behavior from well known viewpoint in cyber security for targeted attacks? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED12
Can we detect malicious behavior from well known viewpoint in cyber security for targeted attacks? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Viewpoints Criteria Legitimate behavior Summary Freshness Registration within a year: basis date Registered decades ago • Short-term: concentrated on registering domains during the corresponding campaigns • Targeted: 10 to 30% Name server Change more than once + within three month per name server Stable operation • Short-term: short interval change Registrar A particular registrar Not use for abused registrars • Short-term: concentrate on abusing registrars • The 10 Most Abused Domain Registrars by spamhaus ◼ -> rarely detect 13
Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED14
Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED15
Demonstration 2 ◼ Do all-purpose detectable viewpoints for all malicious behavior exist? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED16
Do All-purpose Detectable Viewpoints for All Malicious Behavior Exist? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Viewpoints Citation Explainable Short lifetime Exposure [Bilge et al., 2011] Fast-Flux [Holz et al., 2008] Freshness Name sever change Predator [Hao et al., 2016] Lookup delay [Holz et al., 2008], [Hao et al., 2011] A particular registrar Predator [Hao et al., 2016] Unnatural registration change Long lookup delay 17
Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Particular registrar Short lifetime Lookup delay Fast Flux Freshness Name server change Before expiration After dormant Long lookup delay 18
Do All-purpose Detectable Viewpoints for All Malicious Behavior Exist? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Viewpoints Citation Explainable Short lifetime Exposure [Bilge et al., 2011] Short Term Fast-Flux [Holz et al., 2008] Freshness Name sever change Predator [Hao et al., 2016] Lookup delay [Holz et al., 2008], [Hao et al., 2011] A particular registrar Predator [Hao et al., 2016] Unnatural registration change Long Term Long lookup delay ◼ -> no cure-all,can distinguish short-term from long-term 19
Demonstration 3 ◼ Explainable malicious domain diagnosis for unknown domains Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED20
Analysis of tokyo2020 Typosquatting Domains ◼ Theme: social contribution toward smooth operation of Olympic ◼ The Tokyo Organising Committee of the Olympic and Paralympic Games and JC3 (Japan Cybercrime Control Center) struggle to realize smooth operation of Olympic against cyber threat. ◼ Fujitsu support JC3 as a member company. ◼ Aoki who cooperate with JC3 and Shimizu provide me with tokyo2020 typosquatting domains from their system as Fujitsu activity ◼ Special thanks to FUJITSU SOCIAL SCIENCE LABORATORY Taichi Aoki and Satoru Shimizu ◼ tokyo2020 similar domains: 2385 ◼ Evaluation targets: 474 ◼ 190 Similar domains related to IDN homograph attack: not applicable ◼ 1721 WHOIS histories (.fm, .la, .ph, .vg, .ws, DGA behavior): not available Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED21
tokyo2020 Similar Domain Analysis by Tatsuya Mori Laboratory ◼ Survey analysis regarding similardomains related to Tokyo Olympic Official Site ◼ https://nsl.cs.waseda.ac.jp/tokyo2020/ ◼ Similardomains: 956 (As of Jun. 2019) ◼ Extract domains with “tokyo””2020” string from 1358 TLD in domainlists.io ◼ Most of domains were related to “domain parking” service, others were legitimate services ◼ It is difficult to judge official sites or careful domains even if specialists analyze based on string analysis ◼ “typosquatting” and IDN homograph attack: not applicable ◼ Our target: “typosquatting” similar domains Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED22
Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED23
Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Tokyo Olympic: decided to be held Long-term operation before Tokyo Olympic decision 24
Long-Term Similar Domains ◼ 2020.xxx, 020.xxx, 20.xxx (xxx: TLD) ◼ Generate similar domains as subdomain ◼ Ex: 2020.cz -> tokyo.2020.cz, 020.us -> tokyo2.020.us Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Domains Registration year 2020.biz 2002 年 020.biz 2002 年 2020.cz 1997 年 2020.in 2005 年 2020.info 2001 年 2020.pl 2006 年 2020.us 2002 年 020.us 2004 年 020.org 2003 年 020.se 2006 年 20.cl 2005 年 Domains Registration year 20.cn 2003 年 20.com 1995 年 20.fr 2004 年 20.hk 2006 年 20.kz 2006 年 20.ms 1999 年 20.net 1999 年 20.org 1998 年 20.pl 2001 年 20.st 2001 年 25
In-depth Analysis of Long-Term Similar Domains ◼ Most of similar domains have not operated yet (As of Oct. 16th ) ◼ dig,lookup history based on Passive DNS,subdomains from VirusTotal Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Similar domains dig Passive DNS subdomains tokyo.2020.biz ○ × 1 tokyo2.020.biz ○ × 0 tokyo.2020.cz ○ × 1 tokyo.2020.in ○ × 2 tokyo.2020.info ○ × 3 tokyo.2020.pl ○ × 6 tokyo.2020.us ○ × 3 tokyo2.020.us ○ × 2 tokyo2.020.org ○ ○ 0 tokyo2.020.se ○ × 0 tokyo20.20.cl ○ × 2 Similar domains dig Passive DNS subdomains tokyo20.20.cn ○ × 8 tokyo20.20.com ○ ○ 62 tokyo20.20.fr ○ × 31 tokyo20.20.hk ○ × 2 tokyo20.20.kz ○ × 2 tokyo20.20.ms ○ × 3 tokyo20.20.net ○ × 41 tokyo20.20.org ○ × 24 tokyo20.20.pl ○ × 8 tokyo20.20.st ○ × 3 26
In-depth Analysis: tokyo20.20.com ◼ VirusTotal https://www.virustotal.com/gui/domain/tokyo20.20.com/relations ◼ The following subdomains includingtokyo20.20.com were mapped to 39.108.146[.]115 ◼ Targets of domain parking were not only tokyo2020 but also other strings Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED 10.10.1.20.com 10.20.com 10.212.31.20.com 10.216.219.20.com 11.20.com 162.20.com 163.20.com 192.168.0.20.com 27.20.com 4.20.com 67.220.91.20.com aka.20.com corp.20.com cvpr.20.com hotmail.20.com likes.20.com miniclipplayers2.20.com mobile.20.com msn.20.com myspace.20.com nuha.20.com nusha.20.com ol.20.com publixcorona20.20.com qq.20.com rbicompaudio.20.com shahthealone.20.com shop.20.com smtp.20.com technet.20.com theclose.20.com tiscaly.20.com vip.20.com www.10.0.0.20.com www.10.238.228.20.com www.118.69.210.20.com www.121.184.168.20.com www.160.219.3.20.com www.172.16.0.20.com www.172.16.1.20.com www.172.31.50.20.com www.192.168.1.20.com www.192.168.10.20.com www.192.168.2.20.com www.192.168.20.20.com www.192.168.6.20.com www.201.78.2.20.com www.50.100.30.20.com www.bva20.20.com www.hackchi2.20.com www.ladies.20.com yahoo.20.com yahoo.com.20.com ycc.20.com z.20.com 27
Conclusion ◼ Explainable Malicious Domain Diagnosis ◼ For unknown domains, can explain about detection viewpoints connected with attack types In principle, take advantage of evasive behavior by advanced adversaries ◼ Demonstration: tokyo2020 similar domains ◼ Short-term:registrationincrease after Tokyo Olympic decision ◼ Long-term 2020.xxx, 020.xxx, 20.xxx (xxx: TLD): No clues of operations -> be careful Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED28
Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED29
Previous Studies Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED DNS Lookup DNS Registration : our contribution Passive DNS 2005 Notos 2010 Exposure 2011 Active DNS 2016 Indicator Diagnosis 2018 Predator 2016 Kopis 2011 Proactive Domain Blacklisting 2010 Fast-Flux Observation 2008 Phoenix (for DGA) 2014 Initial DNS Behavior 2011 2005 20202010 2015 Explainable Diagnosis 2020 30
Citation ◼ Holz, Thorsten, et al. "Measuring and Detecting Fast-FluxService Networks."NDSS. 2008. ◼ Nazario, Jose, and Thorsten Holz. "As the net churns: Fast-flux botnet observations."2008 3rd International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2008. ◼ Weimer, Florian. "Passive DNS replication."FIRST conference on computer security incident. 2005. ◼ Antonakakis, Manos, et al. "Building a dynamic reputation system for dns." USENIX security symposium. 2010. ◼ Bilge, Leyla, et al. "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis." Ndss. 2011. ◼ Felegyhazi, Mark, Christian Kreibich, and Vern Paxson. "On the Potential of Proactive Domain Blacklisting."LEET 10 (2010): 6-6. ◼ Hao, Shuang, Nick Feamster, and Ramakant Pandrangi. "Monitoring the initial DNS behavior of malicious domains." Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. 2011. ◼ Hao, Shuang, et al. "PREDATOR: proactive recognitionand elimination of domain abuse at time-of- registration."Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED31
Citation: Threat Intel. ◼ OTX Pulse, Continued DarkHotel Activity, May 9th , 2019. ◼ OTX Pulse, Continued Activity by DarkHotel, May 29th , 2019. ◼ OTX Pulse, DarkHotel disclosed the latest attack on Chinese foreign trade, Jun. 24th , 2019. ◼ JPCERT, TSCookie,https://blogs.jpcert.or.jp/ja/2018/03/tscookie.html, Mar. 1st , 2018. ◼ LAC, “BlackTech”, “PLEAD”,https://www.lac.co.jp/lacwatch/people/20180425_001625.html, Apr. 25th , 2018. ◼ JPCERT, BlackTech, PLEAD, https://blogs.jpcert.or.jp/ja/2018/05/linopid.html, May 28th , 2018. ◼ JPCERT, BlackTech, IconDown, https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html, Oct. 23rd , 2019. ◼ JPCERT, BlackTech(ELF_TSCookie), https://blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html, Feb. 26th , 2020. ◼ Trend Micro,Gamaredon,https://blog.trendmicro.co.jp/archives/24285 ◼ Talos Blog, Cisco, Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution, https://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html, Mar. 6th , 2018. ◼ Talos Blog, Cisco, The Many Tentacles of the Necurs Botnet, https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html, Jan. 18th , 2018. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED32

Recommended

[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
CODE BLUE
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
CODE BLUE
 
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...
CODE BLUE
 
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...
CODE BLUE
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 

Recommended

[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by...
CODE BLUE
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
CODE BLUE
 
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidde...
CODE BLUE
 
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...
CODE BLUE
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
CODE BLUE
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
Bob Radvanovsky
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
Great Bay Software
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Adam Pennington
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat Security Conference
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
Adam Pennington
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
Bryson Bort
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
APNIC
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat Security Conference
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 
[CB18] Discover traces of attackers from the remains of disposable attack inf...
[CB18] Discover traces of attackers from the remains of disposable attack inf...[CB18] Discover traces of attackers from the remains of disposable attack inf...
[CB18] Discover traces of attackers from the remains of disposable attack inf...
CODE BLUE
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
CODE BLUE
 

More Related Content

What's hot

[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
CODE BLUE
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
Bob Radvanovsky
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
Great Bay Software
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Adam Pennington
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat Security Conference
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
Adam Pennington
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
Bryson Bort
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
APNIC
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat Security Conference
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 

What's hot (20)

[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
 
10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation10th SANS ICS Security Summit Project SHINE Presentation
10th SANS ICS Security Summit Project SHINE Presentation
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for Security
 

Similar to [CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi

[CB18] Discover traces of attackers from the remains of disposable attack inf...
[CB18] Discover traces of attackers from the remains of disposable attack inf...[CB18] Discover traces of attackers from the remains of disposable attack inf...
[CB18] Discover traces of attackers from the remains of disposable attack inf...
CODE BLUE
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
CODE BLUE
 
Advanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioAdvanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with Istio
Shunsuke Miyoshi
 
IRJET- Phishing Website Detection System
IRJET- Phishing Website Detection SystemIRJET- Phishing Website Detection System
IRJET- Phishing Website Detection System
IRJET Journal
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
CODE BLUE
 
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...
Fujitsu India
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET Journal
 
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...
ReportLinker.com
 
Data, Interconnectedness & The Internet of Things
Data, Interconnectedness & The Internet of Things Data, Interconnectedness & The Internet of Things
Data, Interconnectedness & The Internet of Things
Software AG
 
Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0
VMware Tanzu
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
Splunk
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
IRJET Journal
 
Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025
Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025
Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025
Nicola Sandoli
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
DNIF
 
Journey Towards Industry 4.0 With IoT
Journey Towards Industry 4.0 With IoTJourney Towards Industry 4.0 With IoT
Journey Towards Industry 4.0 With IoT
Dr. Mazlan Abbas
 
[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化
[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化
[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化
オラクルエンジニア通信
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for msp
Ivanti
 

Similar to [CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi (20)

[CB18] Discover traces of attackers from the remains of disposable attack inf...
[CB18] Discover traces of attackers from the remains of disposable attack inf...[CB18] Discover traces of attackers from the remains of disposable attack inf...
[CB18] Discover traces of attackers from the remains of disposable attack inf...
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
 
Advanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioAdvanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with Istio
 
IRJET- Phishing Website Detection System
IRJET- Phishing Website Detection SystemIRJET- Phishing Website Detection System
IRJET- Phishing Website Detection System
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...
T22.Fujitsu World Tour India 2016-Business Intelligence and Data Analytics in...
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...
Video Streaming Outside The Firewall Market Shares, Strategies, and Forecasts...
 
Data, Interconnectedness & The Internet of Things
Data, Interconnectedness & The Internet of Things Data, Interconnectedness & The Internet of Things
Data, Interconnectedness & The Internet of Things
 
Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
 
Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025
Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025
Tibco Augmented Intelligence - Analytics, IoT, Big Data, Streaming 20161025
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
 
Journey Towards Industry 4.0 With IoT
Journey Towards Industry 4.0 With IoTJourney Towards Industry 4.0 With IoT
Journey Towards Industry 4.0 With IoT
 
[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化
[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化
[Oracle Innovation Summit Tokyo 2018] インダストリアルIoTの今、そしてこれからの進化
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for msp
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 

Recently uploaded (13)

0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 

[CB20] Explainable malicious domain diagnosis by Tsuyoshi Taniguchi

  • 1. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Explainable Malicious Domain Diagnosis 0 CODE BLUE 2020 Track 2 (October 30th , 2020) FUJITSU SYSTEM INTEGRATION LABORATORIES LTD. Tsuyoshi TANIGUCHI
  • 2. Tsuyoshi TANIGUCHI ◼ Fujitsu System Integration Laboratories Researcher, Ph.D. ◼ Mar. 2008 - Hokkaido University Ph.D. (computer science) ◼ Apr. 2008 - Researcher, FUJITSU ◼ Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD ◼ Speaker CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track CODE BLUE 2018 Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED1
  • 3. Research Overview Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Learning from existing threat intel. Current situation recognition Stock-taking Trend analysis Proactive defense Indicator Learning CODE BLUE 2017 Day0 Indicator Diagnosis CODE BLUE 2018 Explainable Malicious Domain Diagnosis CODE BLUE 2020 Threat intelligence Contrast set mining Active + Passive DNS WHOIS history Treasure hunting among a lot of threat intel. Toward “Explainable” Indicators known -> unknown Distinction of long- term targeted attacksTechnique, data 2
  • 4. Principle of “Explainable” Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Legitimate Long-term malicious ⋯ Registration Registered decades ago, then continue to update Name server 1 Name server 2 Name server Short-term malicious Stable operation of name servers Recently registered, disposable before expiration Short-term change in a case of large-scale spam attack Registrar 1 Registrar 3Registrar 2 Unnatural change of registrars Comparison of detection viewpoints Take advantage of evasive behavior Malicious detection Registration Name server Registration Name server 3
  • 5. Future Goal ◼ SOC support by explainable malicious domain diagnosis ◼ Work saving of explanation tasks when SOC operators cope with alerts Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Explainable maliciousdomain diagnosis • Results of malicious detection • Detection viewpoints • Estimated attack types List of unknown domains Learning Results (Reasoning for explanation) Explanation for management SOC Operators 4
  • 6. System Overview Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED DNSDB API (curl)Passive DNS Dashboard input • Legitimate domains • Malicious domains for short-term attacks • Malicious domains for targeted attacks Lookup Analyzer Registration Analyzer WHOIS history PassiveTotal API (curl) GeoIP Analyzer IP Geolocation GeoLite2 MySQL Diagnosis DB Metabase API output Visualization (BI tool) Explainable Learning & DiagnosisUnknow domains input 5
  • 7. Data Sources ◼ Farsight Security – DNSDB ◼ https://www.dnsdb.info ◼ RiskIQ – PassiveTotal ◼ https://www.riskiq.com/products/passivetotal/ ◼ MaxMind - GeoLite2 ◼ https://dev.maxmind.com/geoip/geoip2/geolite2/ ◼ Metabase ◼ https://www.metabase.com/ ◼ Alexa Web Information Company ◼ https://www.alexa.com/topsites Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED6
  • 8. Differences between Registration and Lookup Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED domain ns TLD IP ns SLD IP domain domain ⋯ zone IP IP IP example.jp IN NS ns1.example.jp ns1.example.jp IN A 1.2.3.4 host1.example.jp IN A 5.6.7.8 registrar registryRegistration application Caching DNS server Client Query (lookup) ns: name server host1.example.jp 5.6.7.8 Lookup is not always conducted soon after registration 7
  • 9. Forensics based on Histories of Registration and Lookup Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Registration history Lookup history Registration Update First seenLegitimate Update Last seen Registration history Lookup history Registration Expiration First seen Last seen (before expiration) Registration history Lookup history Registration Expiration First seen Last seen Disposable Lookup Delay Spam, Fast-Flux Behavior for Brand protection Registrationterm: a year, two years, five years, and so on,not operate during all terms delay 8
  • 10. Malicious Detection of Long-term Attacks Based on Unnatural Registration Change Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Registration history Lookup history Registration Expiration First seen Last seen Registration history Lookup history Registration First seen Last seen Disposable Unnatural registration change RegistrationExpiration Expiration First seen Last seen Short-term Long-term Short term malicious: drop catch Not legitimate behavior: expiration 9
  • 11. Demonstration 1. Can we detect malicious behavior from well known viewpoint in cyber security for targeted attacks? 2. Do all-purpose detectable viewpoints for all malicious behavior exist? 3. Explainable malicious domain diagnosis for unknown domains Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED10
  • 12. Summary of Learning Data ◼ Targeted: Three campaigns targeting Japan ◼ Short-term: famous campaigns regarding botnet, spam, ransomware Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Type Campaign domains Data sources Period Legitimate 50 Alexa (top 50, Jun. 23rd ,2020) - Targeted BlackTech 40 JPCERT (Mar. 1st, May 28th ,2018, Oct. 23rd ,2019, Feb. 26th, 2020), LAC (Apr. 25th, 2018) 2012 - DarkHotel 17 OTX (May 9th, 29th, Jun. 24th, 2019) 2007 - Gamaredon 19 Trend Micro (Mar. 30th, 2020) 2013 - Short- term Goznym 365 Talos Blog, Cisco (Mar. 6th, 2018) 2016 to May 2019 Necurs 243 Talos Blog, Cisco (Jan. 18th, 2018) 2012 to (Mar. 2020) Cerber 1305 Ransomware Tracker (Closed) 2016 to Dec. 2017 Locky 214 2016 to 2017 11
  • 13. Demonstration 1 ◼ Can we detect malicious behavior from well known viewpoint in cyber security for targeted attacks? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED12
  • 14. Can we detect malicious behavior from well known viewpoint in cyber security for targeted attacks? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Viewpoints Criteria Legitimate behavior Summary Freshness Registration within a year: basis date Registered decades ago • Short-term: concentrated on registering domains during the corresponding campaigns • Targeted: 10 to 30% Name server Change more than once + within three month per name server Stable operation • Short-term: short interval change Registrar A particular registrar Not use for abused registrars • Short-term: concentrate on abusing registrars • The 10 Most Abused Domain Registrars by spamhaus ◼ -> rarely detect 13
  • 15. Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED14
  • 16. Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED15
  • 17. Demonstration 2 ◼ Do all-purpose detectable viewpoints for all malicious behavior exist? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED16
  • 18. Do All-purpose Detectable Viewpoints for All Malicious Behavior Exist? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Viewpoints Citation Explainable Short lifetime Exposure [Bilge et al., 2011] Fast-Flux [Holz et al., 2008] Freshness Name sever change Predator [Hao et al., 2016] Lookup delay [Holz et al., 2008], [Hao et al., 2011] A particular registrar Predator [Hao et al., 2016] Unnatural registration change Long lookup delay 17
  • 19. Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Particular registrar Short lifetime Lookup delay Fast Flux Freshness Name server change Before expiration After dormant Long lookup delay 18
  • 20. Do All-purpose Detectable Viewpoints for All Malicious Behavior Exist? Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Viewpoints Citation Explainable Short lifetime Exposure [Bilge et al., 2011] Short Term Fast-Flux [Holz et al., 2008] Freshness Name sever change Predator [Hao et al., 2016] Lookup delay [Holz et al., 2008], [Hao et al., 2011] A particular registrar Predator [Hao et al., 2016] Unnatural registration change Long Term Long lookup delay ◼ -> no cure-all,can distinguish short-term from long-term 19
  • 21. Demonstration 3 ◼ Explainable malicious domain diagnosis for unknown domains Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED20
  • 22. Analysis of tokyo2020 Typosquatting Domains ◼ Theme: social contribution toward smooth operation of Olympic ◼ The Tokyo Organising Committee of the Olympic and Paralympic Games and JC3 (Japan Cybercrime Control Center) struggle to realize smooth operation of Olympic against cyber threat. ◼ Fujitsu support JC3 as a member company. ◼ Aoki who cooperate with JC3 and Shimizu provide me with tokyo2020 typosquatting domains from their system as Fujitsu activity ◼ Special thanks to FUJITSU SOCIAL SCIENCE LABORATORY Taichi Aoki and Satoru Shimizu ◼ tokyo2020 similar domains: 2385 ◼ Evaluation targets: 474 ◼ 190 Similar domains related to IDN homograph attack: not applicable ◼ 1721 WHOIS histories (.fm, .la, .ph, .vg, .ws, DGA behavior): not available Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED21
  • 23. tokyo2020 Similar Domain Analysis by Tatsuya Mori Laboratory ◼ Survey analysis regarding similardomains related to Tokyo Olympic Official Site ◼ https://nsl.cs.waseda.ac.jp/tokyo2020/ ◼ Similardomains: 956 (As of Jun. 2019) ◼ Extract domains with “tokyo””2020” string from 1358 TLD in domainlists.io ◼ Most of domains were related to “domain parking” service, others were legitimate services ◼ It is difficult to judge official sites or careful domains even if specialists analyze based on string analysis ◼ “typosquatting” and IDN homograph attack: not applicable ◼ Our target: “typosquatting” similar domains Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED22
  • 24. Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED23
  • 25. Backup Slides for Dashboard Error Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Tokyo Olympic: decided to be held Long-term operation before Tokyo Olympic decision 24
  • 26. Long-Term Similar Domains ◼ 2020.xxx, 020.xxx, 20.xxx (xxx: TLD) ◼ Generate similar domains as subdomain ◼ Ex: 2020.cz -> tokyo.2020.cz, 020.us -> tokyo2.020.us Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Domains Registration year 2020.biz 2002 年 020.biz 2002 年 2020.cz 1997 年 2020.in 2005 年 2020.info 2001 年 2020.pl 2006 年 2020.us 2002 年 020.us 2004 年 020.org 2003 年 020.se 2006 年 20.cl 2005 年 Domains Registration year 20.cn 2003 年 20.com 1995 年 20.fr 2004 年 20.hk 2006 年 20.kz 2006 年 20.ms 1999 年 20.net 1999 年 20.org 1998 年 20.pl 2001 年 20.st 2001 年 25
  • 27. In-depth Analysis of Long-Term Similar Domains ◼ Most of similar domains have not operated yet (As of Oct. 16th ) ◼ dig,lookup history based on Passive DNS,subdomains from VirusTotal Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED Similar domains dig Passive DNS subdomains tokyo.2020.biz ○ × 1 tokyo2.020.biz ○ × 0 tokyo.2020.cz ○ × 1 tokyo.2020.in ○ × 2 tokyo.2020.info ○ × 3 tokyo.2020.pl ○ × 6 tokyo.2020.us ○ × 3 tokyo2.020.us ○ × 2 tokyo2.020.org ○ ○ 0 tokyo2.020.se ○ × 0 tokyo20.20.cl ○ × 2 Similar domains dig Passive DNS subdomains tokyo20.20.cn ○ × 8 tokyo20.20.com ○ ○ 62 tokyo20.20.fr ○ × 31 tokyo20.20.hk ○ × 2 tokyo20.20.kz ○ × 2 tokyo20.20.ms ○ × 3 tokyo20.20.net ○ × 41 tokyo20.20.org ○ × 24 tokyo20.20.pl ○ × 8 tokyo20.20.st ○ × 3 26
  • 28. In-depth Analysis: tokyo20.20.com ◼ VirusTotal https://www.virustotal.com/gui/domain/tokyo20.20.com/relations ◼ The following subdomains includingtokyo20.20.com were mapped to 39.108.146[.]115 ◼ Targets of domain parking were not only tokyo2020 but also other strings Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED 10.10.1.20.com 10.20.com 10.212.31.20.com 10.216.219.20.com 11.20.com 162.20.com 163.20.com 192.168.0.20.com 27.20.com 4.20.com 67.220.91.20.com aka.20.com corp.20.com cvpr.20.com hotmail.20.com likes.20.com miniclipplayers2.20.com mobile.20.com msn.20.com myspace.20.com nuha.20.com nusha.20.com ol.20.com publixcorona20.20.com qq.20.com rbicompaudio.20.com shahthealone.20.com shop.20.com smtp.20.com technet.20.com theclose.20.com tiscaly.20.com vip.20.com www.10.0.0.20.com www.10.238.228.20.com www.118.69.210.20.com www.121.184.168.20.com www.160.219.3.20.com www.172.16.0.20.com www.172.16.1.20.com www.172.31.50.20.com www.192.168.1.20.com www.192.168.10.20.com www.192.168.2.20.com www.192.168.20.20.com www.192.168.6.20.com www.201.78.2.20.com www.50.100.30.20.com www.bva20.20.com www.hackchi2.20.com www.ladies.20.com yahoo.20.com yahoo.com.20.com ycc.20.com z.20.com 27
  • 29. Conclusion ◼ Explainable Malicious Domain Diagnosis ◼ For unknown domains, can explain about detection viewpoints connected with attack types In principle, take advantage of evasive behavior by advanced adversaries ◼ Demonstration: tokyo2020 similar domains ◼ Short-term:registrationincrease after Tokyo Olympic decision ◼ Long-term 2020.xxx, 020.xxx, 20.xxx (xxx: TLD): No clues of operations -> be careful Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED28
  • 30. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED29
  • 31. Previous Studies Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED DNS Lookup DNS Registration : our contribution Passive DNS 2005 Notos 2010 Exposure 2011 Active DNS 2016 Indicator Diagnosis 2018 Predator 2016 Kopis 2011 Proactive Domain Blacklisting 2010 Fast-Flux Observation 2008 Phoenix (for DGA) 2014 Initial DNS Behavior 2011 2005 20202010 2015 Explainable Diagnosis 2020 30
  • 32. Citation ◼ Holz, Thorsten, et al. "Measuring and Detecting Fast-FluxService Networks."NDSS. 2008. ◼ Nazario, Jose, and Thorsten Holz. "As the net churns: Fast-flux botnet observations."2008 3rd International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2008. ◼ Weimer, Florian. "Passive DNS replication."FIRST conference on computer security incident. 2005. ◼ Antonakakis, Manos, et al. "Building a dynamic reputation system for dns." USENIX security symposium. 2010. ◼ Bilge, Leyla, et al. "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis." Ndss. 2011. ◼ Felegyhazi, Mark, Christian Kreibich, and Vern Paxson. "On the Potential of Proactive Domain Blacklisting."LEET 10 (2010): 6-6. ◼ Hao, Shuang, Nick Feamster, and Ramakant Pandrangi. "Monitoring the initial DNS behavior of malicious domains." Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. 2011. ◼ Hao, Shuang, et al. "PREDATOR: proactive recognitionand elimination of domain abuse at time-of- registration."Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED31
  • 33. Citation: Threat Intel. ◼ OTX Pulse, Continued DarkHotel Activity, May 9th , 2019. ◼ OTX Pulse, Continued Activity by DarkHotel, May 29th , 2019. ◼ OTX Pulse, DarkHotel disclosed the latest attack on Chinese foreign trade, Jun. 24th , 2019. ◼ JPCERT, TSCookie,https://blogs.jpcert.or.jp/ja/2018/03/tscookie.html, Mar. 1st , 2018. ◼ LAC, “BlackTech”, “PLEAD”,https://www.lac.co.jp/lacwatch/people/20180425_001625.html, Apr. 25th , 2018. ◼ JPCERT, BlackTech, PLEAD, https://blogs.jpcert.or.jp/ja/2018/05/linopid.html, May 28th , 2018. ◼ JPCERT, BlackTech, IconDown, https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html, Oct. 23rd , 2019. ◼ JPCERT, BlackTech(ELF_TSCookie), https://blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html, Feb. 26th , 2020. ◼ Trend Micro,Gamaredon,https://blog.trendmicro.co.jp/archives/24285 ◼ Talos Blog, Cisco, Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution, https://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html, Mar. 6th , 2018. ◼ Talos Blog, Cisco, The Many Tentacles of the Necurs Botnet, https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html, Jan. 18th , 2018. Copy right 2020 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED32