master_thesis/main.tex

%-------------------
%Header
%-------------------

%Wir verwenden eine DIN-A4-Seite und die Schriftgröße 12.
\documentclass[a4paper,12pt]{scrartcl}
\title{Expose Master's thesis Felix Steghofer}


%Diese drei Pakete benötigen wir für die Umlaute, Deutsche Silbentrennung etc.
%Apple-Nutzer sollten anstelle von \usepackage[latin1]{inputenc} das Paket \usepackage[applemac]{inputenc} verwenden
\usepackage[utf8]{inputenc}
\usepackage[english]{babel}
\usepackage[T1]{fontenc}
\usepackage{enumitem}
\usepackage{listings}
\usepackage{sidecap}
\usepackage{float}
\usepackage{todonotes}

%Das Paket erzeugt ein anklickbares Verzeichnis in der PDF-Datei.
\usepackage[hyphens]{url}
\usepackage{hyperref}

%Das Paket wird für die anderthalb-zeiligen Zeilenabstand benötigt
\usepackage{setspace}

%Einrückung eines neuen Absatzes
\setlength{\parindent}{0em}

%Definition der Ränder
\usepackage[paper=a4paper,left=30mm,right=30mm,top=30mm,bottom=30mm]{geometry}

%Links format
\hypersetup{
  colorlinks   = true, %Colours links instead of ugly boxes
  urlcolor     = blue, %Colour for external hyperlinks
  linkcolor    = blue, %Colour of internal links
  citecolor   = red %Colour of citations
}

%c++ code
\lstset{language=C++,
       	basicstyle=\ttfamily,
       	keywordstyle=\color{blue}\ttfamily,
       	stringstyle=\color{red}\ttfamily,
       	commentstyle=\color{green}\ttfamily,
  	   	frame=single,
  		xrightmargin=.5em,
  		xleftmargin=.5em
      }

%Pics..
\usepackage{graphicx}
\usepackage{caption}
\usepackage{csquotes}
\usepackage{chngcntr}
\graphicspath{ {media/} }

%Pics counter
\counterwithout{figure}{section}

%Abstand der Fußnoten
\deffootnote{1em}{1em}{\textsuperscript{\thefootnotemark\ }}

%Regeln, bis zu welcher Tiefe (section,subsection,subsubsection) Überschriften angezeigt werden sollen (Anzeige der Überschriften im Verzeichnis / Anzeige der Nummerierung)
\setcounter{tocdepth}{3}
\setcounter{secnumdepth}{3}

% uncomment for bibliography
%\usepackage[backend=biber,
%style=numeric
%style=alphabetic
%style=reading
%style=authoryear-ibid
%]{bibtex}
%\addbibresource{literatur_seminararbeit}
%\defbibheading{head}{\section{Literaturverzeichnis}}
%-------------------
%Ende des Kopfbereiches
%-------------------

%-------------------
%Main
%-------------------
\begin{document}


%Beginn der Titelseite
\begin{titlepage}
\begin{small}
\vfill {Universität Passau || Siemens CERT || Master's thesis - Expose}
\end{small}


\begin{center}
\begin{Large}
\vfill{\textsf{\textbf{
Evaluation of domain reputation scoring algorithms in the field of IT-Security and development of a probabilistic hostile activities accounting algorithm.
}}}
\end{Large}
\end{center}

\begin{small}
\vfill Felix Steghofer \\ \today \\ Advisor: Thomas Penteker \\ Supervisor: Prof. Dr. rer. nat. Joachim Posegga

\end{small}

\end{titlepage}
%Ende der Titelseite


%Inhaltsverzeichnis (aktualisiert sich erst nach dem zweiten Setzen)
\tableofcontents
\thispagestyle{empty}

%Beginn einer neuen Seite
\clearpage

%Anderthalbzeiliger Zeilenabstand ab hier
\onehalfspacing

\pagestyle{plain}


\section{Abstract}
The domain name system (DNS) has been one of the corner stones of the internet
for a long time. It acts as a hierarchical, bidirectional translation device
between mnemonic domain names and network addresses. It also provides service
lookup or enrichment capabilities for a range of application protocols like
HTTP, SMTP, and SSH.
In the context of defensive IT security, investigating aspects of the DNS can
facilitate protection efforts tremendously. Estimating the reputation of
domains can help in identifying hostile activities. Such a score can, for
example, consider features like quickly changing network blocks for a given
domain or clustering of already known malicious domains and newly observed
ones.
 
The task of this work is to evaluate existing scoring mechanisms of domains in
the special context of IT security, and also research the potential for combining
different measurement approaches. It ultimately shall come up with an improved
and evaluated algorithm for determining the probability of a domain being
related to hostile activities.


\section{Related work}
Malware related dynamic domain reputation systems (Machine Learning approaches):
\begin{itemize}
    \item Notos (passive monitoring of recursive DNS traffic, may not be complete..TODO) \cite{antonakakis2010building}
    \item Exposure (like Notos, but TODO) \cite{bilge2011exposure}
    \item Kopis (working in the upper DNS hierarchy) \cite{antonakakis2011detecting}
\end{itemize}


See Figure~\ref{exposure_features} for an example of possible features. (Extracted by Exposure to do the sentiment analysis)
\begin{figure}[htbp]
\centering
\includegraphics[width=.7\textwidth]{exposure_features.png}
\caption{Features used in Exposure \cite{bilge2011exposure}}
\label{exposure_features}
\end{figure}

In comparison the Features of Kopis:

Statistical Features:
Qj (d) = (Tj , Rj , d, IPsj ) where
Tj is the epoch (time of the request/response)
Rj is the IP of the requests initiator
d the queried domain and
IPsj is the set of resolved IPs for this domain as responded

\begin{itemize}
    \item Requester Diversity: Where do request originate (overall)
    \item Requester Profile: Is the requester a single computer or does it itself handle/serve many client (RDNS server of a large ISP). Different profiles can therefor be weighted accordingly
    \item Resolved-IPs Reputation (IPR): 
\end{itemize}


Comparing those three systems, Kopis successes for a dynamic, independent and global domain reputation scoring algorithm so far. It uses a supervised machine learning approach where within the training mode it uses a set of sentimentally annotated \textit{malware-related} and \textit{known legitimate} domain names to build a model based on query/response
patterns that can be used to statistically classify in operational mode.

high detection rates (e.g., 98.4%)
low false positive rates (e.g., 0.3% or 0.5%)


%
% Bibliography
%
\bibliographystyle{abbrv}
\bibliography{bib}

%list of all pictures
\listoffigures

\end{document}
%-------------------
%End
%-------------------