In this post I share 9 links to resources related to Network Beacon detection.

Network beacons are continuous automated communications between 2 hosts. Network beacon detection focuses on identifying this automated traffic with the primary goal of aiding in detecting malware infections or adversary activity that have been missed by other controls.

Beacon detection is a useful building block analytic with many different usecases.

  • Threat Hunting and Malware command and control (C2) detection - aid in detecting malware missed by anti-virus products.
  • Detection of automated third party traffic - detection of ongoing automated traffic to third parties may reveal unknown or emerging business relationships.
  • Identify automated web application dependencies (within an enterprise or external to an enterprise)

Links:

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

In this short blog, I share 3 papers and 7 tools that focus on detecting cyber squatting domains (including typosquating, homograph, combosquatting, etc.).

Tools for generating cybersquatting domains (for use in detection)

Lots of other tools/libraries now exist if you need an implementation in a different language. See these github tags for lots more tools: typosquatting, homoglyph, and homograph-attack.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

In this short blog, I share four papers that focus on detecting malicious lateral movement (a.k.a. pivoting, a.k.a. island hopping).

Papers:

Lastly, if you’re interested in discovering more interesting papers like these, use the method I outlined here.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

In this short blog, I share seven papers that focus on detecting Dictionary Domain Generation Algorithm (DGA) domains, A.K.A. Word-based DGAs. Dictionary DGAs are algorithms seen in various malware families (suppobox, matsnu, gozi, rovnix, etc.) that are used to periodically generate a large number of domain names that use pseudo-randomly concatenated words from a dictionary. These domains may appear legitimate at first glance and are often able to evade blacklisting as well as traditional DGA detections based on entropy or counts of consonants vs vowels. Below are a small sample of rovnix domains from Unit42’s blogpost.

  • kingwhichtotallyadminis[.]biz
  • thareplunjudiciary[.]net
  • townsunalienable[.]net
  • taxeslawsmockhigh[.]net
  • transientperfidythe[.]biz
  • inhabitantslaindourmock[.]cn
  • thworldthesuffer[.]biz

Papers:

In a previous post, I also shared details on several models that are capable of effectively detecting dictionary DGA domains as well. Please see Auxiliary Loss Optimization for Hypothesis Augmentation for DGA Domain Detection.

Lastly, if you’re interested in discovering more interesting papers like these, use the method I outlined here.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.

A short listing of cyber security data science research papers I’ve discovered recently. Each of them uses machine learning or enables ML (i.e. providing training data or enabling creation of training data) to solve various security usecases, and many provide open source code as well.

If you’re interested in discovering more interesting papers like these, use the method I outlined here.

–Jason
@jason_trost

The “short links” format was inspired by O’Reilly’s Four Short Links series.