1 / 21

Talos : Building World-Wide Domain Reputation

Talos : Building World-Wide Domain Reputation. Ray Liao (ray_liao@trend.com.tw) Jerry J Wu (jerry_j_wu@trend.com.tw) Trend Micro Inc. Types of Analysis. TALOS. Goal. Comprehensive domain reputation High risk domains Legitimate domains Not compromised sites Rate by intention. How?.

beulah
Download Presentation

Talos : Building World-Wide Domain Reputation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Talos . External Talos:Building World-Wide Domain Reputation Ray Liao (ray_liao@trend.com.tw) Jerry J Wu (jerry_j_wu@trend.com.tw) Trend Micro Inc.

  2. Talos . External Types of Analysis TALOS

  3. Talos . External Goal • Comprehensive domain reputation • High risk domains • Legitimate domains • Not compromised sites • Rate by intention

  4. Talos . External How? • Domain Snapshot • Domain History • Analysis • Identify classes of event worthy of investigation. • Identify domains associated with suspicious events. 5

  5. Talos . External Sourcing • How to get a whole picture, domain-wise? • No single type of sourcing is perfect (legal, anonymous services, etc…) • Combination of various types of data sources • Observational data.

  6. Talos . External Building the network structure • Organize domains by • Structural relationship • Custom defined. • Indexing for fast lookup.

  7. System Architecture Talos . External

  8. Talos . External Static Analysis • Analysis based on a single snapshot of world-wide domains • Analysis by keyword • Analysis by structure (relationship)

  9. Talos . External Keyword analysis • Phishing attack • Masquerading as other trustworthy entity. • Similarity to the object of the masquerade • Content • Domain name • Template generated disposable domains

  10. Talos . External Static Analysis – Example (1)

  11. Talos . External Analysis by relationship • Form follows function • Reuse of the existing network structure • Business reuse infrastructure • So does bad guys • Most attacks are not alone • Observation • Good guy: likes repels likes • Bad guy: likes attract likes

  12. Talos . External Static Analysis – Example (2)

  13. Talos . External Static Analysis – Example (3)

  14. Talos . External Static Analysis – Example (4)

  15. Talos . External Dynamic Analysis • Analysis across multiple snapshots • More complex than static analysis • Type of change (from X to Y) • What is being changed (value) • Rate of change • More

  16. Talos . External Dynamic Analysis – Example (4) LCSDomains Rating Registrant Date [item] ideaitem.info. Malicious George --- 4/24 [item] itemgroup.info. Malicious George --- 4/24 [item] itemhosting.info. Malicious George --- 4/24 [item] itemmusic.info. Malicious George --- 4/24 [item] propertyitem.info. No Rating George --- 4/24 [item] youitem.info. No Rating George --- 4/24 [item] ideaitem.info. Malicious George --- 4/24 [item] imageitem.info. Malicious George --- 4/24 [item] itemgroup.info. Malicious George --- 4/24 [item] itemhosting.info. Malicious George --- 4/24 [item] itemsoft.info. Malicious George --- 4/24 [item] propertyitem.info. No Rating George --- 4/24 [item] youitem.info. No Rating George --- 4/24 [yahoo] coolyahoo.info. Malicious Dorothy --- 4/24 [yahoo] dotyahoo.info. Malicious Dorothy --- 4/24 [yahoo] lifeyahoo.info. Malicious Dorothy --- 4/24 [yahoo] www.yahooauto.info. Malicious Dorothy --- 4/24 [yahoo] yahooblue.info. Malicious Dorothy --- 4/24

  17. qebinehuh.com

  18. Some Statistics about Talos • 9 billions of domain related records as input per day • 4TB of domain information in the past three months, in which 1 billion domains are involved and been frequently accessed • 1 million domains identified as white-listed domains • Refreshed daily

  19. Questions?

  20. Thank You

More Related