6.4 Classification based on Features of a Domain Name
6.4.1 Shortcomings of Existing Methods
Overall, the application of a KL-based classifier performed reasonably well, providing classification decisions for all the domain clusters within a few minutes. The problem, however, is that it required on the order of a few hundred domain names ineachcluster to provide accurate results. To see why this is problematic, note that it may take several hours before a cluster meets the minimum threshold required to achieve the classification results given in Table 6.3; in particular, during a one week period there were eightconfickerinstances, onecridexand onespambot. Two of theconfickerinstances queried less than 200 randomly generated domain names, while the other six instances took almost three hours to query 100 domain names, and 3.5 days to query 500 domain names. Thecridexandspambotinstances generated less than 10 domain name lookups during 3.5 days. This rate of activity requires many days of monitoring before classification can occur, rendering the technique unusable for detecting and blocking malicious activity from these sources.
From an operational perspective, the Jaccard Index approach is appealing because of its ease of imple- mentation and reasonable performance. The simplicity, however, comes at the cost of computation time: it took several hours to classify all the domain clusters in just one day’s worth of DNS traffic. Another disadvantage is the fact that the approach is highly sensitive to the training dataset and the number of domain names in the cluster being evaluated.
Methods based on edit distance, on the other hand, have the advantage of not requiring training data and can operate on small clusters of names. That said, the edit distance approach was the least effective of the techniques evaluated. Its high false positive rates are tightly coupled with the difficulty of selecting an appropriate threshold value. For real-world deployments, the need to constantly monitor and fine tune these thresholds significantly diminishes its practical utility. This technique was also extremely slow, taking several hours to process the dataset.
The analyses indicate that the examined approaches are not robust enough to be used in production environments. This is particularly true if additional auxiliary information (e.g., realtime reputation information from various network vantage points in the DNS hierarchy (Antonakakis et al., 2012)) is not being used to help address real-world issues that arise when dealing with the complexities of network traffic—where friend or foe can be easily confused. These techniques all make the fallacious assumption that anomalous
behavior equates to malicious activity and so the use of algorithmically generated names for benign purposes undermines this assumption.
6.5 Approach
To address the accuracy and performance issues inherent in the aforementioned approaches, a lightweight algorithm is presented and based on sequential hypothesis testing, which examines traffic patterns rather than properties of a domain name in order to classify clients. The intuition behind the approach is that a compromised host tends to “scan” the DNS namespace looking for a valid command and control server. In doing so, it generates a relatively high number of unique second-level domains that elicit more NX responses than a benign host. As a result, the problem lends itself to using sequential hypothesis testing (Wald, 1947) to classify clients as bots based on online observations of unique NX responses.
The general idea is illustrated in Figure 6.5. In StepÊ, the amount of data analyze is reduced by over 90%, retaining only NX response packets. Next, the client IP address and zone of the domain name are extracted from each packet (StepË) and then NX responses filtered for well-known (benign) domain names (StepÌ). The zone information of the remaining domain names are used to adjust the client’s score. The score is adjusted up or down based on whether the client has seen the zone before (StepÍ). Finally, the new score is compared to both a benign threshold and a bot threshold. If either threshold is crossed, then the client is classified; otherwise, the client remains in the pending state waiting for another NX response (StepÎ).
DNS Packets
Hypothesis Test
Update Client Score
15.0
!
Classify Host Benign, Bot, Pending Client Bot Benign Pending"
Extract Client IPs andDNS Zones
#
IP DNS Zone NXNX Capture NX Responses$
NX NX Filter Benign NX Packets%
NX NX NX NXFigure 6.5: High-level overview of the workflow.
The goal is to accurately classify a host as a bot or benign while observing as few outcomes as possible. To that end, the problem is approached by considering two competing hypotheses, defined as follows:
Null hypothesis H0= the local clientlis benign.
Alternative hypothesis H1= the local clientlis a bot.
A sequential hypothesis test observes success and failure outcomes (Yi, i = 1, ...n) in sequence and updates a test score after each outcome. A success pushes the score for clientltowards a benign threshold while a failure pushes the score towards a bot threshold. In the current context, a success and failure outcome are described as follows:
Success Yi = 0Clientlreceives an NX response for a DNS zone it has already seen. Failure Yi = 1Clientlreceives an NX response for a unique DNS zone.
For simplicity, a DNS zone is considered as any portion of the DNS namespace that is administered by a single entity (e.g., thegoogle.comzone is administered by Google).
The size of the step taken towards the thresholds is decided by the valuesθ0andθ1. The value ofθ0is defined as the probability that a benign host generates a successful event whileθ1is the probability that a malicious host generates a successful event. More formally,θ0 andθ1are defined as:
Pr[Yi= 0|H0] =θ0, Pr[Yi = 1|H0] = 1−θ0
Pr[Yi= 0|H1] =θ1, Pr[Yi = 1|H1] = 1−θ1
(6.1)
Using the distribution of the Bernoulli random variable, the sequential hypothesis score (or likelihood ratio) is calculated as follows:
Λ(Y) = P r[Y|H1] P r[Y|H0] = n Y i=1 P r[Yi|H1] P r[Yi|H0] (6.2) whereY is the vector of events observed andP r[Y|Hi]represents the probability mass function of event streamY givenHi is true. The score is then compared to an upper threshold (η1) and a lower threshold,
(η0). IfΛ(Y)≤η0then acceptH0(i.e., the host is benign) , and ifΛ(Y) ≥η1 acceptH1 (i.e., the host is
malicious). Ifη0<Λ(Y)< η1then no decision is made (i.e., pending state) and one must wait for another
The thresholds are calculated based on user selected valuesαandβ which represent the desired false positive and true positive rates respectively. The parameters are typically set toα= 0.01andβ= 0.99. The upper bound threshold is calculated as:
η1= β
α (6.3)
while the lower bound is computed as:
η0 = 1−β
1−α (6.4)
A key challenge in this setting is that because internal hosts are monitored, all client-side DNS traffic is visible, including the benign queries (e.g., from web browsing sessions) as well as the malicious queries of the bot. However, since the benign activities mostly result in successful DNS responses, one can safely filter such traffic and focus on NX responses (where the bot has more of an impact). This strategy has the side effect of discarding the vast majority of DNS packets, thereby allowing operation at higher network speeds. The traffic is further filtered by only processing second level DNS zones, rather than fully qualified domain names (FQDNs). One can focus on second-level domains since most bots generate randomized second-level domains in order make it more difficult to blacklist them and to hamper take-down efforts.
One can also take advantage of the fact that NX traffic access patterns for benign hosts follows a Zipf’s distribution. Indeed, over 90% of NX responses in the data are to 100 unique zones. The bot DNS queries lie in the tail of the Zipf curve, hidden by the vast amounts of benign traffic. To quickly sift through this mountain of data, a Zipf filter is applied comprising the most popular zones1and matches are removed using a perfect hash. Finally, each time a client is declared benign its state is reset, forcing it to continuously re-prove itself.