FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018


Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.
Back To Schedule
Wednesday, January 10 • 10:00am - 10:30am
Detecting Malicious IPs and Domain Names by Fusing Threat Feeds and Passive DNS through Graph Inference

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
How can we tell which domain names will soon be used for delivering bad traffic to us from the Internet? Often, we can answer such questions based on the reputation of their digital neighborhood (guilt by association). This talk considers how to use the Belief Propagation Algorithm (BPA) for performing graph inference in a large network of passive DNS data to identify previously unknown malicious IP addresses and domain names from a seed list of ground-truth known good and bad IPs and domains. Specifically, we use BPA on a bipartite graph of IP addresses and domain names to estimate the likelihood that unknown IP addresses or domain names are malicious. IP addresses and domain names constitute the nodes in the network, and edges exist between nodes if the domain name resolved to that IP address at some point. BPA is used to spread this ground-truth data in the network based on the idea that IP addresses or domains connected to known malicious IP addresses or domains are more likely to also be malicious ("birds of a feather flock together").
Our work focuses on how to utilize this algorithm on highly-connected graphs, which can result in underflow and bias concerns for some of the BPA computations. Our highly-connected graph is constructed by mining a large (over a terabyte) publicly available data set on IP addresses and associated DNS names. We provide measures on the connectivity of the network and describe the computational concerns that arise in BPA as a result of this connectivity. We test a number of different approaches for handling underflow and bias, and compare their BPA results. Our approaches include software packages for arbitrary precision, exact transformations of computations using logarithm identities, inflation of intermediary computations, and sampling schemes designed to reduce bias. We compare results using measures of BPA’s performance, such as true positive rate and false positive rate, and computational runtime. We conclude with remarks on recommendations and guidance for employing BPA on similar problems and with limited computational resources.

Attendees Will Learn:
Network security analysts routinely collect large volumes of network and application log data, but the analysis of this data is largely unsophisticated. Threat Feeds inundate analysts with tips on malicious IPs and domain names. Our talk will give security analysts a tool to connect the dots and uncover more malicious activity on their network faster and more accurately.

avatar for Eric Harley

Eric Harley

Cyber Security Researcher, Mitre
Eric Harley is a Cyber Security Researcher at The MITRE Corporation in McLean, VA. Mr. Harley leverages his academic background in statistics and high performance computing to advance new analytic techniques for detecting, and containing sophisticated cyber adversaries. He has a MSE... Read More →
avatar for Emily Heath

Emily Heath

Sr. Cyber Security Engineer, Mitre
Dr. Emily Heath is a Senior Cyber Security Engineer at the MITRE Corporation. Her primary research interests are in optimization, machine learning, and analytics, with a focus on applications to problems in cyber security. While at MITRE, she has worked on advanced cyber security... Read More →

Wednesday January 10, 2018 10:00am - 10:30am MST
Presidio III, IV, V