%------------------- %Header %------------------- %Wir verwenden eine DIN-A4-Seite und die Schriftgröße 12. \documentclass[a4paper,12pt]{scrartcl} \title{Expose Master's thesis Felix Steghofer} %Diese drei Pakete benötigen wir für die Umlaute, Deutsche Silbentrennung etc. %Apple-Nutzer sollten anstelle von \usepackage[latin1]{inputenc} das Paket \usepackage[applemac]{inputenc} verwenden \usepackage[utf8]{inputenc} \usepackage[english]{babel} \usepackage[T1]{fontenc} \usepackage{enumitem} \usepackage{listings} \usepackage{sidecap} \usepackage{float} \usepackage{todonotes} %Das Paket erzeugt ein anklickbares Verzeichnis in der PDF-Datei. \usepackage[hyphens]{url} \usepackage{hyperref} %Das Paket wird für die anderthalb-zeiligen Zeilenabstand benötigt \usepackage{setspace} %Einrückung eines neuen Absatzes \setlength{\parindent}{0em} %Definition der Ränder \usepackage[paper=a4paper,left=30mm,right=30mm,top=30mm,bottom=30mm]{geometry} %Links format \hypersetup{ colorlinks = true, %Colours links instead of ugly boxes urlcolor = blue, %Colour for external hyperlinks linkcolor = blue, %Colour of internal links citecolor = red %Colour of citations } %c++ code \lstset{language=C++, basicstyle=\ttfamily, keywordstyle=\color{blue}\ttfamily, stringstyle=\color{red}\ttfamily, commentstyle=\color{green}\ttfamily, frame=single, xrightmargin=.5em, xleftmargin=.5em } %Pics.. \usepackage{graphicx} \usepackage{caption} \usepackage{csquotes} \usepackage{chngcntr} \graphicspath{ {media/} } %Pics counter \counterwithout{figure}{section} %Abstand der Fußnoten \deffootnote{1em}{1em}{\textsuperscript{\thefootnotemark\ }} %Regeln, bis zu welcher Tiefe (section,subsection,subsubsection) Überschriften angezeigt werden sollen (Anzeige der Überschriften im Verzeichnis / Anzeige der Nummerierung) \setcounter{tocdepth}{3} \setcounter{secnumdepth}{3} % uncomment for bibliography %\usepackage[backend=biber, %style=numeric %style=alphabetic %style=reading %style=authoryear-ibid %]{bibtex} %\addbibresource{literatur_seminararbeit} %\defbibheading{head}{\section{Literaturverzeichnis}} %------------------- %Ende des Kopfbereiches %------------------- %------------------- %Main %------------------- \begin{document} %Beginn der Titelseite \begin{titlepage} \begin{small} \vfill {Universität Passau || Siemens CERT || Master's thesis - Expose} \end{small} \begin{center} \begin{Large} \vfill{\textsf{\textbf{ Evaluation of domain reputation scoring algorithms in the field of IT-Security and development of a probabilistic hostile activities accounting algorithm. }}} \end{Large} \end{center} \begin{small} \vfill Felix Steghofer \\ \today \\ Advisor: Thomas Penteker \\ Supervisor: Prof. Dr. rer. nat. Joachim Posegga \end{small} \end{titlepage} %Ende der Titelseite %Inhaltsverzeichnis (aktualisiert sich erst nach dem zweiten Setzen) \tableofcontents \thispagestyle{empty} %Beginn einer neuen Seite \clearpage %Anderthalbzeiliger Zeilenabstand ab hier \onehalfspacing \pagestyle{plain} \section{Abstract} The domain name system (DNS) has been one of the corner stones of the internet for a long time. It acts as a hierarchical, bidirectional translation device between mnemonic domain names and network addresses. It also provides service lookup or enrichment capabilities for a range of application protocols like HTTP, SMTP, and SSH. In the context of defensive IT security, investigating aspects of the DNS can facilitate protection efforts tremendously. Estimating the reputation of domains can help in identifying hostile activities. Such a score can, for example, consider features like quickly changing network blocks for a given domain or clustering of already known malicious domains and newly observed ones. The task of this work is to evaluate existing scoring mechanisms of domains in the special context of IT security, and also research the potential for combining different measurement approaches. It ultimately shall come up with an improved and evaluated algorithm for determining the probability of a domain being related to hostile activities. \section{Related work} Malware related dynamic domain reputation systems (Machine Learning approaches): \begin{itemize} \item Notos (passive monitoring of recursive DNS traffic, may not be complete..TODO) \cite{antonakakis2010building} \item Exposure (like Notos, but TODO) \cite{bilge2011exposure} \item Kopis (working in the upper DNS hierarchy) \cite{antonakakis2011detecting} \end{itemize} See Figure~\ref{exposure_features} for an example of possible features. (Extracted by Exposure to do the sentiment analysis) \begin{figure}[htbp] \centering \includegraphics[width=.7\textwidth]{exposure_features.png} \caption{Features used in Exposure \cite{bilge2011exposure}} \label{exposure_features} \end{figure} In comparison the Features of Kopis: Statistical Features: Qj (d) = (Tj , Rj , d, IPsj ) where Tj is the epoch (time of the request/response) Rj is the IP of the requests initiator d the queried domain and IPsj is the set of resolved IPs for this domain as responded \begin{itemize} \item Requester Diversity: Where do request originate (overall) \item Requester Profile: Is the requester a single computer or does it itself handle/serve many client (RDNS server of a large ISP). Different profiles can therefor be weighted accordingly \item Resolved-IPs Reputation (IPR): \end{itemize} Comparing those three systems, Kopis successes for a dynamic, independent and global domain reputation scoring algorithm so far. It uses a supervised machine learning approach where within the training mode it uses a set of sentimentally annotated \textit{malware-related} and \textit{known legitimate} domain names to build a model based on query/response patterns that can be used to statistically classify in operational mode. high detection rates (e.g., 98.4%) low false positive rates (e.g., 0.3% or 0.5%) % % Bibliography % \bibliographystyle{abbrv} \bibliography{bib} %list of all pictures \listoffigures \end{document} %------------------- %End %-------------------