SlideShare a Scribd company logo

Malicious Client Detection using Machine learning

Download as PPTX, PDF
C
Cysinfo Cyber Security Community

Malicious Client Detection using Machine learning

Technology
1 of 16
Malicious Client Detection using machine learning SATYAM SAXENA
Threats •There are many types of malware for all types of devices and operating systems •Most if not all malware relies on a support system – command and control infrastructure •Bad guys use DNS to scale and hide their C&C infrastructure •Bad guys use DNS for C&C to bypass corporate security (tunneling) •Bad guys use cloud providers to roll out, scale, manage and quickly move their C&C Infrastructure Without reliance on any particular end point operation system or configuration, we can use big data analytics on network data to detect malware.
Malware use of DNS rndruppbakyokv[.]com 1.2.3.4 Command and Control Infrastructure Communication Chanel with C&C is established. Compromised device receives updates, instructions, targets. DNS Server DNS Server End point device
Raw pDNS Domain Name classifier DNS Resolver classifier Device Behavior classifier Compromised Device (Security Event) classifier Malicious Domains Malicious Resolvers Behavior Anomalies Machine Learning Pipeline DGA Network Time Tunnel Network Time Network Time
Architecture
DGA Model • Detect Randomly generated domains in the pDNS data. • Model is trained on 6 categories of malware families like zeus, tinba, pushdo, etc. • 29 features extracted from the domain. • 29 features dimensionally reduced to 16 features using PCA. • Those reduced features set is then used to train a GBM classifier.
Domain Features Common Letter Score Entropy
Domain Features(2) Length of largest meaningful string Mean length of dictionary words
DGA Features
DGA Classification Performance Overall model performance (Random Forrest) Metric Performance Accuracy 98.738% Precision 99.288% Recall 98.181% AUC 99.801% Performance per malware family Malware Family % Detection Conflicker 86.309% Cryptolocker 98.348% Pushdo 95.515% Ramdo 99.823% Tinba 96.715% Zeus 100.0%
Network Model • Using WHOIS record to find if a domain is malicious or benign. • WHOIS record contains very rich information about a domain. • Age based features. • Registration Features.
Network Features – Whois Server Malicious Domains Benign Domains
Network Features – creation Date
Network Model Performance • Final Set of features :- creation Date, update Date, expiration Date,admin country, registrant country, tech country, status, whois server Metric Performance Error 0.00450864127 Area Under Curve 0.96615884041
Compromised Client Detection Hadoop HDFS Spark Compute IP DGA WHOIS NX SERVER ip1 #10 #3 #4 #5 Ip2 #8 #1 #2 #3 ip3 #5 #2 #0 #0 ip4 #3 #3 #0 #0 pDNS Data Group By
Thank You

Recommended

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutionssecurityxploded
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morrisEmily2014
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability TesterAditya Jain
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 

Recommended

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutionssecurityxploded
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morrisEmily2014
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability TesterAditya Jain
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionn|u - The Open Security Community
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureAlert Logic
 
Windows network
Windows networkWindows network
Windows networkJithesh Nair
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown AlienVault
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01EduclentMegasoftel
 
Technical track kevin cardwell-10-00 am-solid-defense
Technical track kevin cardwell-10-00 am-solid-defenseTechnical track kevin cardwell-10-00 am-solid-defense
Technical track kevin cardwell-10-00 am-solid-defenseISSA LA
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicBlue Coat
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitalsCysinfo Cyber Security Community
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 

More Related Content

What's hot

Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureAlert Logic
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown AlienVault
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Technical track kevin cardwell-10-00 am-solid-defense
Technical track kevin cardwell-10-00 am-solid-defenseTechnical track kevin cardwell-10-00 am-solid-defense
Technical track kevin cardwell-10-00 am-solid-defenseISSA LA
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicBlue Coat
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 

What's hot (20)

Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
 
Windows network
Windows networkWindows network
Windows network
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Technical track kevin cardwell-10-00 am-solid-defense
Technical track kevin cardwell-10-00 am-solid-defenseTechnical track kevin cardwell-10-00 am-solid-defense
Technical track kevin cardwell-10-00 am-solid-defense
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 

Viewers also liked

Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresCysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisCysinfo Cyber Security Community
 

Viewers also liked (20)

Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 
Emet bypsass
Emet bypsass Emet bypsass
Emet bypsass
 
Bluetooth insecurity
Bluetooth insecurity Bluetooth insecurity
Bluetooth insecurity
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutions Fingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Betabot
BetabotBetabot
Betabot
 
Buffer overflow Attacks
Buffer overflow AttacksBuffer overflow Attacks
Buffer overflow Attacks
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attack
 
Cryptolocker
Cryptolocker Cryptolocker
Cryptolocker
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
 
Return address
Return addressReturn address
Return address
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
Format string vunerability
Format string vunerabilityFormat string vunerability
Format string vunerability
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysis
 

Similar to Malicious Client Detection using Machine learning

Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...Splend
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Mouaz Alnouri
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraRogerChaucaZea
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceSagi Brody
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSNormalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSUtku Sen
 
D zone-firewall-datasheet
D zone-firewall-datasheetD zone-firewall-datasheet
D zone-firewall-datasheetLindsay Carreau
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshellYahia Kandeel
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsMohamed Jelidi
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 

Similar to Malicious Client Detection using Machine learning (20)

Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve ...
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in Azure
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-Service
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSNormalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
 
D zone-firewall-datasheet
D zone-firewall-datasheetD zone-firewall-datasheet
D zone-firewall-datasheet
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditors
 
A hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environmentsA hybrid intrusion detection system for cloud computing environments
A hybrid intrusion detection system for cloud computing environments
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 

More from Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muraleeDynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Malicious Client Detection using Machine learning

  • 2. Threats •There are many types of malware for all types of devices and operating systems •Most if not all malware relies on a support system – command and control infrastructure •Bad guys use DNS to scale and hide their C&C infrastructure •Bad guys use DNS for C&C to bypass corporate security (tunneling) •Bad guys use cloud providers to roll out, scale, manage and quickly move their C&C Infrastructure Without reliance on any particular end point operation system or configuration, we can use big data analytics on network data to detect malware.
  • 3. Malware use of DNS rndruppbakyokv[.]com 1.2.3.4 Command and Control Infrastructure Communication Chanel with C&C is established. Compromised device receives updates, instructions, targets. DNS Server DNS Server End point device
  • 4. Raw pDNS Domain Name classifier DNS Resolver classifier Device Behavior classifier Compromised Device (Security Event) classifier Malicious Domains Malicious Resolvers Behavior Anomalies Machine Learning Pipeline DGA Network Time Tunnel Network Time Network Time
  • 6. DGA Model • Detect Randomly generated domains in the pDNS data. • Model is trained on 6 categories of malware families like zeus, tinba, pushdo, etc. • 29 features extracted from the domain. • 29 features dimensionally reduced to 16 features using PCA. • Those reduced features set is then used to train a GBM classifier.
  • 8. Domain Features(2) Length of largest meaningful string Mean length of dictionary words
  • 10. DGA Classification Performance Overall model performance (Random Forrest) Metric Performance Accuracy 98.738% Precision 99.288% Recall 98.181% AUC 99.801% Performance per malware family Malware Family % Detection Conflicker 86.309% Cryptolocker 98.348% Pushdo 95.515% Ramdo 99.823% Tinba 96.715% Zeus 100.0%
  • 11. Network Model • Using WHOIS record to find if a domain is malicious or benign. • WHOIS record contains very rich information about a domain. • Age based features. • Registration Features.
  • 12. Network Features – Whois Server Malicious Domains Benign Domains
  • 13. Network Features – creation Date
  • 14. Network Model Performance • Final Set of features :- creation Date, update Date, expiration Date,admin country, registrant country, tech country, status, whois server Metric Performance Error 0.00450864127 Area Under Curve 0.96615884041
  • 15. Compromised Client Detection Hadoop HDFS Spark Compute IP DGA WHOIS NX SERVER ip1 #10 #3 #4 #5 Ip2 #8 #1 #2 #3 ip3 #5 #2 #0 #0 ip4 #3 #3 #0 #0 pDNS Data Group By