View
2.525
Download
3
Category
Tags:
Preview:
DESCRIPTION
OpenDNS Security Labs Team members Ping Yan and Thibault Reuille presented this talk at BayThreat 2013.
Citation preview
THE RIPPLE EFFECT CONTAINING CRYPTOLOCKER
& VISUALIZING KNOWLEDGE
BayThreat 2013 !
Ping Yan & Thibault Reuille
PING
!Chinese
!University of Arizona Graduate School
!Data Mining, Machine Learning
!Info Sec
THIBAULT
Parisian, moved to Cali in 2010 !!
Security and Visualization ? !!
Knowledge base visualization
AGENDA!
Introduction !
OpenDNS Security Graph !
Cryptolocker !
Impact !
Conclusion
DEMO
craigslist.com neighborhood
KNOWLEDGELet’s step back ! !Periodic jobs insert metrics / entities / relationships in graph model ~ 35 000 000 names per day ~ 62 000 000 related domains per day ~ 21 000 spiking domains per day !Higher level of abstraction : Graph = Set of nodes + Set of edges Semantic graph applied to DNS problematics !Exploration and classification Dig into knowledge base to discover malicious clusters Use our indicators to perform machine learning Knowledge-based threat detection Ontology : Model of the model Pattern detection : Identification of hidden rules Prediction = Anticipation !
3D ENGINEWhat did you just see ? !!From data to 3D space Nodes are 3D vertices Edges are 3D lines Security Graph Attributes interpreted as color / size / width / activity !Force-directed physics engine Inspired by electrical forces model (Attraction / Repulsion defined by edges) Molecular structure Dynamic and auto-adapting layout !!Visual scripts Python scripts to hilight features of the model !
WHY ?Shape Algorithms populate our knowledge graph Creation is understood, output is complex Layout defined by model structure Closer to the “natural shape” of data Take advantage of the GPU to untangle information !Evolution Security Graph is dynamic, constantly changing Monitoring evolution over time !Investigation Humans are better at processing shapes than numbers Solid tool to build hypothesis / heuristics !Detection Semantic-based threat detection Action applied to graph pattern Multi-agent algorithms Decentralize / Parallelize pattern detection !
SCENARIO
Domain (Yellow) - IP (purple) graph of spiking domains
SCENARIO
Mining information from seeds
SCENARIO
What do we already know ?
SCENARIO
Classification
SCENARIO
Investigation
The process of searching the newer and the unknown ... starting from the seeding intelligence
1. Infection 2. Retrieve encryption key from CnC 3. Encrypt data files 4. Collect money !IP CnC fails quickly ! DGA kicks in !
The DGA algorithm wasn’t revealed until several weeks later and only shared within enclosed security communities. !!It hasn’t changed since.
CO-OCCURRENCES
ALGORITHM
DEMO !!
Interactive expanding in 3D from a Cryptolocker domain !
Use Gif if internet doesn’t work (Put gif in slides) !
+ !
Show CL domain level 4 dataset !
7.3M
19.1M
24.6M 22.3M
18.1M 19.6M
28.7M 26.9M
17.6M
21.7M 20.1M
20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct
Cryptolocker DNS Requests Acquired per Day
20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct
paspmnbspwijo.ru
lfdicecqjetfqrm.com
shocdnhyfmdfsoj.co.uk
ftamfiaivpdw.biz
dctqynvenluf.biz
ixslpslobkddytp.info
byeixyixhmse.biz
ohjvagaptmlffn.info
ljllkfudrvggepm.com
dblekuaonugn.biz
lcynqebqetamnmb.net
DOMAINS RESOLVED DAILY TO SEVERAL IP ADDRESSES THAT ROTATE IN AND OUT
2-O
ct
3-O
ct
4-O
ct
5-O
ct
6-O
ct
7-O
ct
8-O
ct
9-O
ct
10-O
ct
11-O
ct
12-O
ct
13-O
ct
14-O
ct
15-O
ct
16-O
ct
17-O
ct
18-O
ct
19-O
ct
20-O
ct
21-O
ct
22-O
ct
23-O
ct
24-O
ct
25-O
ct
26-O
ct
27-O
ct
28-O
ct
29-O
ct
30-O
ct
166.78.144.80 96.43.141.186 93.189.44.187
91.234.33.198 87.255.51.229 86.124.164.25
81.177.170.166 74.91.124.113 69.61.18.148
173.193.197.194 62.76.191.48 50.116.8.191
195.22.26.231 195.2.77.48 194.28.174.119
192.210.230.39 188.65.211.137 176.119.0.216
25 Unique Domains Over 9 Days Resolved to 81.177.170.166
On 11-Oct, 39 Domains Resolved (and not sinkholed)
6
2 2
10
4 3
6 6
39
26
5
2
6 6 7
3 3 3 3 2
4 4 6
12 10
IP WORLD MAP
Cryptolocker client IP addresses over 3 days.
IP INFECTION MAPS
World
Crypto locker
CONCLUSIONRun 3D Cryptolocker
(LIVE DEMO) !
(MV) http://vimeo.com/79840833
Recommended