[CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura

Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Discover Traces of Attackers from the Remains of
Disposable Attack Infrastructure - Indicator Diagnosis
System with Dynamic/Static DNS Forensics
0
CODE BLUE 2018
Track 2
（November 2nd
, 2018）
FUJITSU SYSTEM INTEGRATION LABORATORIES LTD.
Tsuyoshi TANIGUCHI Kunihiko YOSHIMURA

Tsuyoshi TANIGUCHI
 Fujitsu System Integration Laboratories Researcher, Ph.D.
 Mar. 2008 - Hokkaido University Ph.D. (computer science)
A Study on Correlation Mining Based on Contrast Sets
Not hypothesis testing but discover science
Characteristic relations with high appearance patterns -> relation with the high differences after
some conditioning
 Apr. 2008 - Researcher, FUJITSU
 Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD
 Nov. 2017 CODE BLUE Day0 Special Track Counter Cyber Crime Track
Detection index learning based on cyber threat intelligence and its application
Searching treasures from a vast amount of threat intelligence
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED1

Overview of Indicator Learning
CTI data source 1
Subgroup 1 Subgroup 2 Subgroup i⋯
Preprocess
Indicator Learning
Indicator DB
CTI data source 2 CTI data source 3
2
CTI: Cyber Threat Intelligence

Weighting Indicators
 Contrast IP addresses or domain names between two subgroups
 Contrast Set Mining [Bay et.al 2001]
 Emerging Patterns [Dong and Li 1999]
Itemset A
Subgroup 1 Subgroup 2
Identifiable Not appearance
IP addresses,
domain names
Malware,
Campaign
3

IP Addresses Which Multiple Adversaries Shared
 Over 99%: Single subgroup
 Under 1%: Multiple subgroups
456 / 58048:
0.79%
4

• 悪性IP１
• 悪性IP２
• 悪性IP３
Indicator Lifetime Learning
 Indicator selection：long lifetime and Disposable
 Indicators: malicious IP addresses
• Malicious IP 1
• Malicious IP 2
• Malicious IP 3
• Malicious IP 1
• 悪性IP２
• 悪性IP３
• Malicious IP 4
• Malicious IP 1
• 悪性ドメイン２
• 悪性ドメイン３
• 悪性IP４
• Malicious IP 5
Regularly updated blacklists
5

Lifetime Distribution Dependent on the Type of
Attacks
Long life -> downoaderDisposable -> botnet, DGA and so on
6
The behavior of indicators corresponds to the behavior on the DNS

Threat Intelligence: Snapshots of Cyber Attacks
2018 / 7 2018 / 8 2018 / 9
APT𝛼
Domain 𝛼-1
Domain 𝛼-2
Domain 𝛼-3
Botnet 𝛽 Domain 𝛽-1
Domain 𝛼-1
Domain 𝛼-2
Domain 𝛼-3
Blacklist 𝛼
_July
A set of A
records related
with domain 𝛽-1
Blacklist 𝛽
_July
Sets of A records which adversaries map malicious domain names to
Stop using domain
𝛼-3
Blacklist 𝛼
_August
One A record with long
lifetime
Several disposable A
records
Blacklist 𝛽_August
 Attack infrastructure completely depend on adversaries → Threat Intel.？
7

Black-Box: the Process of Malicious Domain
Detection
Some malware
communicates with？
In white lists？
MaliciousBenign
YES
YES NO
NO
In black lists？
Malicious
YES
Malicious behavior
on the DNS?
NO
YES NO
BenignMalicious
An example of
decision tree
model
Exposure [Bilge, Leyla, et al., 2011]
• Short life
• Short TTL
• Number of distinct IP addresses
• Number of domains share the IP with
• And so on
• Domain 1
• Domain 2
• Domain 3
• Domain 4
8

Motivation：Toward Explainable Indicators
 The behavior of malicious domain: long, short, changeable, and so on
 To restore the behavior of malicious domain and quality
improvement of blacklists based on prioritization
• Domain 1
• Domain 2
• Domain 3
• Domain 4
① Fast-Flux -> Tracking
② Short-term Activities -> Update Threat Information
③ Stable Operation -> Normal operation
④ Domain Name Termination -> Follow-up
9

Threat Intelligence We Treat with
 Lists of malicious domain names
 Text format
 CSV format
 STIX format
STIX: Structured Threat Information eXpression
World standard of CTI in a structured way
XML format (1.x), json format (2.x)

Verification Items (Hypothesis)
The behavior of known malicious domain names
If adversaries use DNS, they leave footprints on the DNS
The type of footprints (the behavior of the malicious domain
names) cat be classified
There is a possibility that we find clues in order to predict
the future behavior of the malicious domain names

Case Studies (1/2)
type: pe, positives: 6+, sources: 5+,
first seen: from 21st May to 22nd May 2018
VirusTotal
400
Samples
Sandbox
(cuckoo)
Collect
Run
108
Domains
Detect
Filtering
White List
43
Malicious Domains
 Verify malicious domain names which new malware samples
communicate with
12

Case Studies (2/2)
2018 / 7 2018 / 8 2018 / 9
Malicious domain C active period
Malicious domain A active period
8/x: Sharing
Malicious domain B active period
 Verify malicious domain names before and after CTI regarding APT
is shared
Continuous use
Termination after sharing
Termination before sharing
13

Conclusion
 Malicious domain names can be classified based on the history on
the DNS
 Lifetime: Long life or short life
 Freshness: fresh or shabby
 The behavior of malicious domain names depend on the activities
of adversaries.
 Confirm threat information sharing recently

Content
 Overview of indicator diagnosis system
 What do we diagnose known malicious domain names?
 Static threat analysis： Passive DNS
 Dynamic threat analysis： Active DNS
 The Fusion of Active and Passive DNS
 Case Studies
1. Diagnoses regarding malicious domain names which malware samples
communicate with
2. Diagnoses regarding malicious domain names from CTI related with APT
3. Discussion: Limitations of the Diagnosis System
 Conclusion

What Do We Diagnose Known Malicious Domain
Names? (1/2)
xxx.xxx.com
(Known malicious
domain)
Indicator
Diagnosis System
Shabby
Inactive
Status?
How long? (Lifetime)
When? (Freshness)
Active
Fresh
Long life Short life
or
or
or
16

What Do We Diagnose Known Malicious Domain
Names? (2/2)
PresentPast
First seen
First seen
Long life (Active)
Recently：
Fresh (Active)
Short active time：
Short life (Inactive)
Old Days：
Shabby (Active)
 Period and timing when the relation between domain names and sets of IP
addresses can be observed on the DNS
first seen
Freshness Lifetime
17

Approach: Dynamic/Static DNS Forensics
DNS
Blacklist
(CTI) xxx.xxx.com
xxx.xxx.com
IN A a.a.a.a
Present FuturePast
DNS server
Passive DNS
Dynamic： Active DNS
The present Status?
Static：Passive DNS The history?
The future
behavior?
Footprints based queries
 A verification of the behavior of known malicious domain names on the DNS
18

Domain Name System (DNS)
Root DNS
server
TLD (top level domain) server
.jp, .com, .org, .net
Authoritative
DNS server １
Authoritative
DNS server 2
19

The Flow of Name Resolution on the DNS
Root DNS
server
.com
DNS server
fujitsu.com
DNS server
Caching
DNS server
User
Authoritative DNS server
fujitsu.com?
80.70.173.142
fujitsu.com?
fujitsu.com?
fujitsu.com?
.com DNS server
fujitsu.com DNS
80.70.173.142
20

dig Command Example: fujitsu.com
$ dig fujitsu.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> fujitsu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16529
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fujitsu.com. IN A
;; ANSWER SECTION:
fujitsu.com. 3600 IN A 80.70.173.142
;; Query time: 33 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Oct 11 09:39:16 JST 2018
;; MSG SIZE rcvd: 56
fujitsu.com:
A record -> 80.70.173.142
dig command
(Linux OS)
21

Overview of Active DNS and Passive DNS
Active DNS: Thales [Kountouras,
Athanasios et al., 2016]
actively query DNS server and collect data
Sensor
Root DNS
server
.com
DNS server
fujitsu.com
DNS server
Caching
DNS server
User
22
Passive DNS: passive DNS replication
[Weimer, Florian, 2005]
capture and collect DNS response packets

The Fusion of Active and Passive DNS
Sensor
Passive DNSPassive DNS Analyzer
Black
List
The first point
Seeds: known malicious
domain names
The second point
The present status
The third point
The history on the DNS
Caching
DNS server
User
23

The Fusion of Active and Passive DNS Provide
Valuable Synergy
Blacklists
Passive DNSActive DNS
Seeds Malicious
The present status
on the DNS
The history
on the DNS
24

Content
 Case Studies
communicate with
 Conclusion

Citation: Data Source
 Passive DNS
 DNSDB
 Farsight Security
 https://www.dnsdb.info/
 Active DNS (Public caching DNS)
 Google: Google Public DNS (8.8.8.8)
 Cloudflare: Global Authoritative DNS (1.1.1.1)
 Malware Sample
 Virus Total
 https://www.virustotal.com/ja/
 Cyber Threat Intelligence (CTI)
 Open Threat Exchange
 Alien Vault
 https://www.alienvault.com/open-threat-exchange

1. Diagnoses regarding Malicious Domain Names
Which Malware Sample Communicate with
 Assumed situation
 Analyze new malware samples
 The malware samples communicate with suspicious domain names in a
sandbox
 The purpose of case studies
1. Verify the behavior of known malicious domain names
2. Verify footprints on the DNS

Malicious Domain Names Which Malware Sample
Communicate with
type: pe, positives: 6+, sources: 5+,
first seen: from 21st May to 22nd May 2018
VirusTotal
400
Samples
Sandbox
(cuckoo)
Collect
Run
108
Domains
Detect
Filtering
White List
43
Malicious Domains
28

Identification of Benign Domain Names Based on a
White List
 Normal service
ex. whatismyaddress.com, digicert.com and so on
 Domain administrators have no connection with malware
developers even if domain name itself is malicious
 Anti-Sandbox
ex. update.microsoft.com, www.yahoo.com and so on
 Communicate with C2 by public channel
ex. twitter.com

Caching
DNS server
Sensor
Malicious
Domain
5/21 – 5/22
1. Trial and error (5/28)
30

Trial and Error：Active DNS
 You easily are able to get results if you install dig command
31

Single A Record
dig Command Example (a Part of the Output)
;auth-rambler.com. IN A
;; ANSWER SECTION:
auth-rambler.com. 599 IN A 185.212.128.37
Single A record
32

The Results regarding Single A Record Based on
Active DNS
Domain name (URL) A record
codelux2017.ddns[.]net 187.115.234[.]242
skypeprocesshost.ddns.com[.]br 177.98.32[.]236
auth-rambler[.]com 185.212.128[.]37
bb[.]org 103.224.182[.]249
diaoge2010.tl-ip[.]net 121.41.39[.]145
lhy3944335.meibu[.]com 120.210.205[.]20
m3.vzv[.]me 35.229.81[.]255
numbers.3322[.]org 183.236.2[.]18
ukvlqwtmdlcmigp.floattenmidget[
.]ru
46.101.50[.]21
vopspyder[.]website 185.6.242[.]251
www.51wgl[.]com 47.104.163[.]38
xmr.f2pool[.]com 116.211.169[.]162
kiss.oatmealscene[.]loan 54.88.21[.]193
ma.owwwv[.]com 43.229.113[.]12
stiekehelp.gameassists.co[.]uk 78.24.213[.]153
tv.yaerwal[.]com 199.2.137[.]29
www.iuqerfsodp9ifjaposdfjhgosuri
jfaewrwergwff[.]com
72.5.65[.]99
zinfandel.lacita[.]com 98.124.199[.]28
jlarga1b2c3d4.ddns[.]net 0.0.0[.]0
Colored areas represents changing A records.
33

Multiple A Records
;ic-dc.deliverydlcenter.com. IN A
;; ANSWER SECTION:
ic-dc.deliverydlcenter.com. 59 IN A 13.33.4.6
Multiple A records
34

The Results regarding Multiple A Records Based on
Active DNS
imp.searchjff[.]com 52.200.52[.]112, 52.202.163[.]199
search.searchjff[.]com 50.19.242[.]110, 174.129.43[.]57
bounce2.pobox[.]com 64.147.108[.]74, 64.147.108[.]75
ic-dc.deliverydlcenter[.]com 13.33.4[.]170, 13.33.4[.]142, 13.33.4[.]6, 13.33.4[.]29
imp.yourpackagesnow[.]com 52.1.198[.]247, 52.4.240[.]94
ns1.wowservers[.]ru 221.120.220[.]72, 81.4.163[.]122, 190.35.242[.]126,
197.254.118[.]42ns2.wowservers[.]ru
trialcet[.]com 104.31.91[.]83, 104.31.90[.]83
www.iuqerfsodp9ifjaposdfjhgosu
rijfaewrwergwea[.]com
104.17.40[.]137, 104.17.39[.]137, 104.17.38[.]137,
104.17.37[.]137, 104.17.41[.]137
www.laichiji123[.]com 104.24.96[.]136, 104.24.97[.]136
www.shangizhiyan[.]com 104.28.2[.]77, 104.28.3[.]77
Colored areas represents changing A records. 35

CNAME
;lulukan.qyhxhnt.com. IN A
;; ANSWER SECTION:
lulukan.qyhxhnt.com. 599 IN CNAME
lulukan.qyhxhnt.com.a.bdydns.com.
lulukan.qyhxhnt.com.a.bdydns.com. 119 IN CNAME
opencdncloud.jomodns.com.
opencdncloud.jomodns.com. 59 IN A 101.69.175.35
CNAME
Multiple
CNAME
36

The Results regarding CNAME Based on Active DNS
Domain name (URL) CNAME A record
lulukan.qyhxhnt[.]com
• lulukan.qyhxhnt.com.a.bdydns[.]com
• opencdncloud.jomodns[.]com
101.69.175[.]35rjb.qyhxhnt[.]com
• rjb.qyhxhnt.com.a.bdydns[.]com
tongbu.erhaojie[.]com
• tongbu.erhaojie.com.a.bdydns[.]com
mininews.kpzip[.]com
• mininews.kpzip.com.cdn.dnsv1[.]com
• 897194.s2.cdntip[.]com
Flux type
pc.mainmarketingswarm[.]c
om
swarm.wizzcloud[.]io
149.202.91[.]53
149.202.76[.]117
vip2.gutou[.]cc y.gutousoft[.]com 120.24.75[.]226
won.channeltest[.]bid d1g1b9l7554igi.cloudfront[.]net
13.33.4[.]214, 13.33.4[.]184,
13.33.4[.]47, 13.33.4[.]44
vtboss.yolox[.]net 22283.bodis[.]com 199.59.242[.]150
Colored areas represents changing A records. 37

No Answer
;; QUESTION SECTION:;carder.bit. IN A
(No ANSWER SECTION)
38

No Answer
carder[.]bit
No Answer
jss365sv.cat[.]jp
ransomware[.]bit
www.wap95516.com[.]cn
www4.cedesunjerinkas[.]com
39

Caching
DNS server
Sensor
Malicious
Domain
5/21 – 5/22
1. Trial and error (5/28)
2. Verification (10/9)
40

Diagnostic Item Related with Active DNS
Diagnostic item Diagnostic result
Activity status
Active
Inactive
A record change
Changeable
No change
41

Diagnostic Item Related with Passive DNS
Diagnostic item Diagnostic result
Type
Multiple IP
Multiple domain
1 domain – 1 IP
Lifetime
Short life
Long life
Freshness
Fresh
Stable operation
Shabby
42

Verify Malicious Domain Names Which New Malware
Sample Communicate with
PresentPast
First seen
First seen
Long life (Active)
Recently：
Fresh (Active)
Short active time：
Short life (Inactive)
Old Days：
Shabby (Active)
 How is the behavior of known malicious domain names?
First
seen
Freshness Lifetime
43

Diagnosis of Known Malicious Domain Based
on Indicator Diagnosis System
Legend
：Single A record
：Multiple A records
：CNAME
：No Answer
44

Diagnostic Item: Freshness
Fresh
Shabby
Stable
Operation
2010 20182016
When is the first seen among a set of A records
related with the input malicious domain?
45

Diagnostic Item: Lifetime
Short
lifetime
Long lifetime
Over three years
Dozens of days
How long is the A record recently observed
from first seen to last seen?
46

The Difference between Lifetime and Freshness
2012 2013 2014 2015 2016 2017 2018
m3.vzv[.]me
tv.yaerwal[.]c
om
diaoge2010.tl
-ip[.]net
lhy3944335.
meibu[.]com
numbers.332
2[.]org
Lifetime
Lifetime
Life
time
Li
fe
ti
m
e
Freshness
Freshness
Freshness
L
i
f
e
t
i
m
e
New Activities
Freshness
47

Content
 Case Studies
communicate with
 Conclusion

from CTI Related with APT
 Assumed situation
 Analyze some APT
 Get cyber threat intelligence from open source
 The purpose of case studies
 Verify the behavior of malicious domain names before and after sharing
 Target APT
 PseudoGate
 Dark Hotel
※CTI: Cyber Threat Intelligence
49

from CTI Related with APT
Jul., 2018 Aug., 2018 Sep., 2018
Malicious domain C active period
Malicious domain A active period
8/x: Sharing
Malicious domain B active period
 Verify malicious domain names before and after CTI regarding APT
is shared
Continuous use
Termination after sharing
Termination before sharing
50

PseudoGate (8/29 OTX Pulse)
• cna8a9[.]space
• eee6t087t9[.]website
• fritsy83[.]space
• fritsy83[.]website
• oo00mika84[.]website
Target domain names
51

Diagnostic Results Soon after CTI Sharing
Jul., 2018 Aug., 2018 Sep., 2018
8/29: sharing
8/30:
Diagnosis
fritsy83[.] website: 31.31.196[.]163 (7/15 - 7/27)
oo00mika84[.]website:
31.31.196[.]163 (7/17 - 8/15)
fritsy83[.]space: 31.31.196[.]138 (7/17 - 7/21)
eee6t087t9[.]website:
31.31.196[.]138 (7/14 - )
cna8a9[.]space:
31.31.196[.]78 (8/2 - )
52

The Diagnosis of Malicious Domain Names (9/20)
cna8a9[.]space:
31.31.196[.]78 (8/2 - )
eee6t087t9[.]website:
31.31.196[.]138 (7/14 - )
oo00mika84[.]website:
31.31.196[.]163 (7/17 - 8/15)
fritsy83[.]space:
31.31.196[.]138
(7/17 - 7/21)
fritsy83[.] website:
31.31.196[.]163
(7/15 - 7/27)
9/20/20187/15/2018 8/2/2018
53

Expiration Prediction
 An Analysis of Related Domain
regarding 31.31.196[.]78
 Survival： 61% (1237/2016)
 Disposable：23% (470/2016)
 The ratio of survival is relatively
high, long life prediction
 cna8a9[.]space - (8/2 - )

regarding 31.31.196[.]163
 Survival： 7% (920/13401)
 Disposable：77% (10328/13401)
 The ratio of disposable is high, short
life prediction
 fritsy83[.] website (7/15 - 7/27)
 oo00mika84[.]website (7/17 - 8/15)

DarkHotel (8/17 OTX Pulse)
• 779999977[.]com
• documentsafeinfo[.]com
• windows-updater[.]net
Target domain names
56

Diagnostic Results Soon after CTI Sharing
Feb.,
2018
Mar.,
2018
Apr.,
2018
May,
2018
Jun.,
2018
Jul.,
2018
Aug.,
2018
Sep.,
2018
779999977[.]com: 188.241.58[.]60 (2/5 - )
documentsafeinfo[.]com: 111.90.149[.]131 (2/3 - )
8/17: Sharing
and Diagnosis
windows-updater[.]net:
54.72.130[.]67 (8/1 -)
57

The Diagnosis of Malicious Domain Names (9/20)
2/3/2018
3/8/2012
9/22/2016
779999977[.]com:
188.241.58[.]60 (2/5 - )
documentsafeinfo[.]com:
111.90.149[.]131 (2/3 - )
windows-updater[.]net:
54.72.130[.]67 (8/1 - 9/10)
58

regarding 54.72.130[.]67
 Survival： 5% (32662/629744)
 Disposable：62% (391692/629744)
 The ratio of disposable is high,
short life prediction
 windows-updater[.]net (8/1 - 9/10)
59

Content
 Case Studies
communicate with
 Conclusion

DNS Blocking by Caching DNS Server
 A case where we receive resource records with No A record after
we query caching DNS server
 Termination or DNS blocking by caching DNS server
Caching
DNS server
No A record
Blacklist Refer to same
blacklists
61

Concealment Actual Domain Operation by CNAME
 MAL_HIFRM
opencdncloud.jomodns[.]com
rjb.qyhxhnt.com.a.bdydns[.]com tongbu.erhaojie.com.a.bdydns[.]com
rjb.qyhxhnt[.]com tongbu.erhaojie[.]comlulukan.qyhxhnt[.]com
CNAME CNAMECNAME
CNAMECNAME
lulukan.qyhxhnt.com.a.bdydns[.]com
CNAME
A set of front domain names
Domain operated
actually
62

Dormant and Changeover
 Dormant：period that corresponding domain does not map any A records
on the DNS even if the domain has A records before and after the period
 Changeover：change A records observed over years to other A records
2012 2013 2014 2015 2016 2017 2018
tv.yaerwal[.]c
om
diaoge2010.tl
-ip[.]net
lhy3944335.
meibu[.]com
numbers.332
2[.]org
Dormant
Dormant
DormantDor
mant
Changeover
63

Content
 Case Studies
communicate with
 Conclusion

Verification Results
 If adversaries use DSN, they leave footprints on the DNS.
 A case where there exists footprints on the DNS.
 Another case where there are no footprints.
 The type of footprints (the behavior of the malicious domain names)
cat be classified.
 Lifetime：Long life and Short life
 Freshness：fresh and shabby
 There is a possibility that we find clues in order to predict the future
behavior of the malicious domain names.
 Expiration Prediction

Diagnostic Results and Opinions
Opinion Diagnostic result Comment
Termination Inactive
Indicators expiree, we strongly recommend you to
explore next threat information
New
Activities
Active, fresh
This malicious domain is recently observed. It worth
monitoring the activities regarding the domain
Stable
Operation
Active, No change,
stable operation or
shabby
You continue to operate blacklists normally
Short-term
Activities
Short life
The malicious domain has possibilities of expiration.
We recommend you to update blacklists
Surveillance
Active,
changeable,
multiple IP
We doubt the malicious domain related with Fast-flux.
We recommend you to check blacklists regarding
Fast-Flux and whitelists regarding normal CDN
66

Conclusion
 Take inventory of received blacklists
 Simply dig command (Active DNS) help you confirm the survival of input domain
names on the DNS
 Take the appropriate reposes according to the behavior of the
malicious domain name
 The history of domain names based on Passive DNS tells you the behavior of
the known malicious domain names

Citation
 Passive DNS
 Weimer, Florian. "Passive DNS replication." FIRST conference on computer security incident. 2005.
 Bilge, Leyla, et al. "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis." Ndss. 2011.
 Active DNS
 Kountouras, Athanasios, et al. "Enabling network security through active DNS datasets." International
Symposium on Research in Attacks, Intrusions, and Defenses. Springer, Cham, 2016.
 van Rijswijk-Deij, Roland, et al. "A High-Performance, Scalable Infrastructure for Large-Scale Active
DNS Measurements." IEEE Journal on Selected Areas in Communications 34.6 (2016): 1877-1888.
 Contrast set mining
 Bay, Stephen D., and Michael J. Pazzani. "Detecting group differences: Mining contrast sets." Data
mining and knowledge discovery 5.3 (2001): 213-246.
 Dong, Guozhu, and Jinyan Li. "Efficient mining of emerging patterns: Discovering trends and
differences." Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery
and data mining. ACM, 1999.

[CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to [CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura

Similar to [CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (20)

[CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura

Editor's Notes