Speaker
Mr
Yuriy Yuzifovich
(Nominum)
Description
A “core” domain, aka an “effective 2nd level domain” (e2LD) usually captures domain ownership (www.example1.com, www.example2.co.uk) and is thus a useful marker for analysis of DNS data. New core domains, are particularly interesting, since they’re highly correlated with malicious activity. For the past 5 years we’ve been tracking new core domains and last year undertook a project to greatly improve our infrastructure in order to study them more intensively.
This presentation will discuss development of a read/write in-memory processing engine that was used on a 1 million QPS data stream collected from resolvers worldwide. This engine was designed to enable real time processing to reduce noise in the data and evaluate relevance of each query.
Typical findings in the data will also be discussed: basic stats such as what percentage of queries to new core domains resolve, first level categorical distribution (benign, returns errors, suspected DGA, scanning, suspicious, confirmed malicious), how often new core domains are queried, by how many IPs, etc. Finally it will discuss methods for turning this raw data into actionable intelligence.
Talk Duration | 30 Minutes |
---|
Primary author
Mr
Yuriy Yuzifovich
(Nominum)