felix/master_thesis
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Final

Browse Source
This commit is contained in:
Felix Steghofer
2018-02-01 13:08:03 +01:00
parent 970af03c09
commit c60ee8af9c
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Thesis/content/Conclusion/Conclusion.tex
View File

@@ -3,5 +3,5 @@
All evaluated machine learning systems show high detection rates and low false rates in detecting domains that are involved in malicious activities like, botnets, phishing and spam-campaigns with a variety of different features. The three most popular systems that have been proposed, \textit{Notos}, \textit{Exposure} and \textit{Kopis} are however either hard to deploy and/or require a lot of manual work to get started and can generally be seen more like research prototypes than mature products.
In this work, a dynamic reputation system (\textit{DoresA}) has been implemented by combining different aspects of the previously evaluated systems. Most aspects have been adopted from one system \textit{Exposure}, mostly due to its simplicity while maintaining similar detection rates and because the passive DNS data that has been available for this work showed most similarities to the data that was used in that system. To test \textit{DoresA}, a model with a total of 1 million data samples has been trained using a decision tree learning algorithm. The characteristics of the DNS resource usage, especially how often the TTL value for a domain is changed, has shown be useful to distinguish between malicious and benign domains. In the time of writing this thesis, no evaluation of the implemented algorithm could be finished. Future work can use this implementation and investigate the accuracy of this approach. Furthermore, built on top of this work, a monitoring system can be realized to proactively warn of requests to domains, involved in malicious activities. To the best of my knowledge, no system that can easily be deployed to networks exists, neither commercial or non-commercial. A dynamic domain reputation system could be run in addition to traditional malware detection software and shows advantages, especially in the discovery of unknown malware with a lightweight approach using a passive DNS database.
In this work, a dynamic reputation system (\textit{DoresA}) has been implemented by combining different aspects of the previously evaluated systems. Most aspects have been adopted from one system \textit{Exposure}, firstly due to its simplicity while maintaining similar detection rates and secondly because the passive DNS data that has been available for this work showed most similarities to the data that was used in that system. To test \textit{DoresA}, a model with a total of 1 million data samples has been trained using a decision tree learning algorithm. The characteristics of the DNS resource usage, especially how often the TTL value for a domain is changed, has shown to be useful to distinguish between malicious and benign domains. In the time of writing this thesis, no evaluation of the implemented algorithm could be finished. Future work can use this implementation and investigate the accuracy of this approach. Furthermore, built on top of this work, a monitoring system can be realized to proactively warn of requests to domains, involved in malicious activities. To the best of my knowledge, no system that can easily be deployed to networks exists, neither commercial or non-commercial. A dynamic domain reputation system could be run in addition to traditional malware detection software and shows advantages, especially in the discovery of unknown malware with a lightweight approach using a passive DNS database.