init

bib.bib

@@ -0,0 +1,19 @@
+@inproceedings{antonakakis2011detecting,
+  title={Detecting Malware Domains at the Upper DNS Hierarchy.},
+  author={Antonakakis, Manos and Perdisci, Roberto and Lee, Wenke and Vasiloglou II, Nikolaos and Dagon, David}
+}
+
+@inproceedings{bilge2011exposure,
+  title={EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis.},
+  author={Bilge, Leyla and Kirda, Engin and Kruegel, Christopher and Balduzzi, Marco},
+  booktitle={Ndss},
+  year={2011}
+}
+
+@inproceedings{antonakakis2010building,
+  title={Building a Dynamic Reputation System for DNS.},
+  author={Antonakakis, Manos and Perdisci, Roberto and Dagon, David and Lee, Wenke and Feamster, Nick},
+  booktitle={USENIX security symposium},
+  pages={273--290},
+  year={2010}
+}

main.tex

@@ -0,0 +1,198 @@
+%-------------------
+%Header
+%-------------------
+
+%Wir verwenden eine DIN-A4-Seite und die Schriftgröße 12.
+\documentclass[a4paper,12pt]{scrartcl}
+\title{Expose Master's thesis Felix Steghofer}
+
+
+%Diese drei Pakete benötigen wir für die Umlaute, Deutsche Silbentrennung etc.
+%Apple-Nutzer sollten anstelle von \usepackage[latin1]{inputenc} das Paket \usepackage[applemac]{inputenc} verwenden
+\usepackage[utf8]{inputenc}
+\usepackage[english]{babel}
+\usepackage[T1]{fontenc}
+\usepackage{enumitem}
+\usepackage{listings}
+\usepackage{sidecap}
+\usepackage{float}
+\usepackage{todonotes}
+
+%Das Paket erzeugt ein anklickbares Verzeichnis in der PDF-Datei.
+\usepackage[hyphens]{url}
+\usepackage{hyperref}
+
+%Das Paket wird für die anderthalb-zeiligen Zeilenabstand benötigt
+\usepackage{setspace}
+
+%Einrückung eines neuen Absatzes
+\setlength{\parindent}{0em}
+
+%Definition der Ränder
+\usepackage[paper=a4paper,left=30mm,right=30mm,top=30mm,bottom=30mm]{geometry}
+
+%Links format
+\hypersetup{
+  colorlinks   = true, %Colours links instead of ugly boxes
+  urlcolor     = blue, %Colour for external hyperlinks
+  linkcolor    = blue, %Colour of internal links
+  citecolor   = red %Colour of citations
+}
+
+%c++ code
+\lstset{language=C++,
+       	basicstyle=\ttfamily,
+       	keywordstyle=\color{blue}\ttfamily,
+       	stringstyle=\color{red}\ttfamily,
+       	commentstyle=\color{green}\ttfamily,
+  	   	frame=single,
+  		xrightmargin=.5em,
+  		xleftmargin=.5em
+      }
+
+%Pics..
+\usepackage{graphicx}
+\usepackage{caption}
+\usepackage{csquotes}
+\usepackage{chngcntr}
+\graphicspath{ {media/} }
+
+%Pics counter
+\counterwithout{figure}{section}
+
+%Abstand der Fußnoten
+\deffootnote{1em}{1em}{\textsuperscript{\thefootnotemark\ }}
+
+%Regeln, bis zu welcher Tiefe (section,subsection,subsubsection) Überschriften angezeigt werden sollen (Anzeige der Überschriften im Verzeichnis / Anzeige der Nummerierung)
+\setcounter{tocdepth}{3}
+\setcounter{secnumdepth}{3}
+
+% uncomment for bibliography
+%\usepackage[backend=biber,
+%style=numeric
+%style=alphabetic
+%style=reading
+%style=authoryear-ibid
+%]{bibtex}
+%\addbibresource{literatur_seminararbeit}
+%\defbibheading{head}{\section{Literaturverzeichnis}}
+%-------------------
+%Ende des Kopfbereiches
+%-------------------
+
+%-------------------
+%Main
+%-------------------
+\begin{document}
+
+
+%Beginn der Titelseite
+\begin{titlepage}
+\begin{small}
+\vfill {Universität Passau || Siemens CERT || Master's thesis - Expose}
+\end{small}
+
+
+\begin{center}
+\begin{Large}
+\vfill{\textsf{\textbf{
+Evaluation of domain reputation scoring algorithms in the field of IT-Security and development of a probabilistic hostile activities accounting algorithm.
+}}}
+\end{Large}
+\end{center}
+
+\begin{small}
+\vfill Felix Steghofer \\ \today \\ Advisor: Thomas Penteker \\ Supervisor: Prof. Dr. rer. nat. Joachim Posegga
+
+\end{small}
+
+\end{titlepage}
+%Ende der Titelseite
+
+
+%Inhaltsverzeichnis (aktualisiert sich erst nach dem zweiten Setzen)
+\tableofcontents
+\thispagestyle{empty}
+
+%Beginn einer neuen Seite
+\clearpage
+
+%Anderthalbzeiliger Zeilenabstand ab hier
+\onehalfspacing
+
+\pagestyle{plain}
+
+
+\section{Abstract}
+The domain name system (DNS) has been one of the corner stones of the internet
+for a long time. It acts as a hierarchical, bidirectional translation device
+between mnemonic domain names and network addresses. It also provides service
+lookup or enrichment capabilities for a range of application protocols like
+HTTP, SMTP, and SSH.
+In the context of defensive IT security, investigating aspects of the DNS can
+facilitate protection efforts tremendously. Estimating the reputation of
+domains can help in identifying hostile activities. Such a score can, for
+example, consider features like quickly changing network blocks for a given
+domain or clustering of already known malicious domains and newly observed
+ones.
+ 
+The task of this work is to evaluate existing scoring mechanisms of domains in
+the special context of IT security, and also research the potential for combining
+different measurement approaches. It ultimately shall come up with an improved
+and evaluated algorithm for determining the probability of a domain being
+related to hostile activities.
+
+
+\section{Related work}
+Malware related dynamic domain reputation systems (Machine Learning approaches):
+\begin{itemize}
+    \item Notos (passive monitoring of recursive DNS traffic, may not be complete..TODO) \cite{antonakakis2010building}
+    \item Exposure (like Notos, but TODO) \cite{bilge2011exposure}
+    \item Kopis (working in the upper DNS hierarchy) \cite{antonakakis2011detecting}
+\end{itemize}
+
+
+See Figure~\ref{exposure_features} for an example of possible features. (Extracted by Exposure to do the sentiment analysis)
+\begin{figure}[htbp]
+\centering
+\includegraphics[width=.7\textwidth]{exposure_features.png}
+\caption{Features used in Exposure \cite{bilge2011exposure}}
+\label{exposure_features}
+\end{figure}
+
+In comparison the Features of Kopis:
+
+Statistical Features:
+Qj (d) = (Tj , Rj , d, IPsj ) where
+Tj is the epoch (time of the request/response)
+Rj is the IP of the requests initiator
+d the queried domain and
+IPsj is the set of resolved IPs for this domain as responded
+
+\begin{itemize}
+    \item Requester Diversity: Where do request originate (overall)
+    \item Requester Profile: Is the requester a single computer or does it itself handle/serve many client (RDNS server of a large ISP). Different profiles can therefor be weighted accordingly
+    \item Resolved-IPs Reputation (IPR): 
+\end{itemize}
+
+
+Comparing those three systems, Kopis successes for a dynamic, independent and global domain reputation scoring algorithm so far. It uses a supervised machine learning approach where within the training mode it uses a set of sentimentally annotated \textit{malware-related} and \textit{known legitimate} domain names to build a model based on query/response
+patterns that can be used to statistically classify in operational mode.
+
+high detection rates (e.g., 98.4%)
+low false positive rates (e.g., 0.3% or 0.5%)
+
+
+%
+% Bibliography
+%
+\bibliographystyle{abbrv}
+\bibliography{bib}
+
+%list of all pictures
+\listoffigures
+
+\end{document}
+%-------------------
+%End
+%-------------------