Detecting DNS Threats: A Deep Learning Model to Rule Them All

Domain Name Service is a central part of Internet regular operation. Such importance has made it a common target of different malicious behaviors such as the application of Domain Generation Algorithms (DGA) for command and control a group of infected computers or Tunneling techniques for bypassing system administrator restrictions. A common detection approach is based on training different models detecting DGA and Tunneling capable of performing a lexicographic discrimination of the domain names. However, since both DGA and Tunneling showed domain names with observable lexicographical differences with normal domains, it is reasonable to apply the same detection approach to both threats. In the present work, we propose a multi-class convolutional network (MC-CNN) capable of detecting both DNS threats. The resulting MC-CNN is able to detect correctly 99% of normal domains, 97% of DGA and 92% of Tunneling, with a False Positive Rate of 2.8%, 0.7% and 0.0015% respectively and the advantage of having 44% fewer trainable parameters than similar models applied to DNS threats detection.Sociedad Argentina de Informática e Investigación Operativ

Detecting DNS Threats: A Deep Learning Model to Rule Them All

Domain Name Service is a central part of Internet regular operation. Such importance has made it a common target of different malicious behaviors such as the application of Domain Generation Algorithms (DGA) for command and control a group of infected computers or Tunneling techniques for bypassing system administrator restrictions. A common detection approach is based on training different models detecting DGA and Tunneling capable of performing a lexicographic discrimination of the domain names. However, since both DGA and Tunneling showed domain names with observable lexicographical differences with normal domains, it is reasonable to apply the same detection approach to both threats. In the present work, we propose a multi-class convolutional network (MC-CNN) capable of detecting both DNS threats. The resulting MC-CNN is able to detect correctly 99% of normal domains, 97% of DGA and 92% of Tunneling, with a False Positive Rate of 2.8%, 0.7% and 0.0015% respectively and the advantage of having 44% fewer trainable parameters than similar models applied to DNS threats detection.Sociedad Argentina de Informática e Investigación Operativ

Detecting DNS Threats: A Deep Learning Model to Rule Them All

Domain Name Service is a central part of Internet regular operation. Such importance has made it a common target of different malicious behaviors such as the application of Domain Generation Algorithms (DGA) for command and control a group of infected computers or Tunneling techniques for bypassing system administrator restrictions. A common detection approach is based on training different models detecting DGA and Tunneling capable of performing a lexicographic discrimination of the domain names. However, since both DGA and Tunneling showed domain names with observable lexicographical differences with normal domains, it is reasonable to apply the same detection approach to both threats. In the present work, we propose a multi-class convolutional network (MC-CNN) capable of detecting both DNS threats. The resulting MC-CNN is able to detect correctly 99% of normal domains, 97% of DGA and 92% of Tunneling, with a False Positive Rate of 2.8%, 0.7% and 0.0015% respectively and the advantage of having 44% fewer trainable parameters than similar models applied to DNS threats detection.Sociedad Argentina de Informática e Investigación Operativ

Detección de patrones de comportamiento en la red a través del análisis de secuencias

Los enfoques de detección por comportamiento en el tráfico de red se basan en encontrar patrones comunes que sigue un ataque a lo largo de su ciclo de vida, tratando de generalizarlos para poder detectar una traza de ataque no vista con anterioridad. Un enfoque común consiste en la generación de secuencias basadas en caracteres para representar comportamientos maliciosos, y luego aplicar modelos como Cadenas de Markov para generalizar a otros comportamientos similares. Sin embargo, estos últimos presentan limitaciones para explorar más allá del estado anterior. En el presente trabajo se analizan las ventajas y limitaciones de tres arquitecturas de redes neuronales para detectar comportamientos maliciosos capaces de recordar patrones vistos mucho tiempo atrás. Para esto se realizó una evaluación sobre un conjunto de datos específicamente diseñado que incluye comportamientos maliciosos y normales de diversas fuentes. Los resultados preliminares indican que, a pesar de su simplicidad, la aplicación de cualquiera de las arquitecturas de red es un enfoque válido para detectar comportamientos de red maliciosos, lo cual es prometedor para su aplicación a problemas de etiquetado de tráfico de red en el contexto de un flujo de trabajo con interacción humana.Workshop: WSI - Seguridad InformáticaRed de Universidades con Carreras en Informátic

Aplicación de redes neuronales profundas para la detección automática de nombres de dominio generados de manera algorítmica

En el contexto de la seguridad de redes de datos, un nombre de dominio generado de manera algorítmica (DGA, de sus siglas en inglés) es utilizado por el software malicioso (malware) para generar de manera dinámica un gran número de nombres de dominios de manera pseudo aleatoria, y luego utilizar un subconjunto de estos como parte del canal de Comando y Control (C&C). Dada la simplicidad y rapidez con la que los nuevos dominios son generados, las estrategias basadas en listas de dominios estáticas resultan inefectivas. Es por ello que resulta importante el desarrollo técnicas de detección automática que permitan encontrar los patrones comunes en los dominios generados. El presente proyecto propone el desarrollo de algoritmos de detección de DGA mediante la utilización de algoritmos de aprendizaje de máquinas en general y las redes neuronales profundas en particular. Se espera que la aplicación de redes neuronales profundas para el aprendizaje de los patrones comunes a los DGA permita desarrollar herramientas de detección no solo con una baja tasa de falsos positivos sino también con la capacidad de operar en tiempo real. Esto último resulta fundamental para lidiar con las amenazas de seguridad de hoy.Eje: Seguridad informática.Red de Universidades con Carreras en Informátic

Millimeter and submillimeter high angular resolution interferometric observations: dust in the heart of IRAS 18162-2048

The GGD27 complex includes the HH 80-81-80N system, which is one of the most powerful molecular outflows associated with a high mass star-forming region observed up to now. This outflow is powered by the star associated with the source IRAS 18162-2048. Here we report the detection of continuum emission at sub-arcsec/arcsec resolution with the Submillimeter Array at 1.36mm and 456microns, respectively. We detected dust emission arising from two compact cores, MM1 and MM2, separated by about 7" (~12000AU in projected distance). MM1 spatially coincides with the powerful thermal radio continuum jet that powers the very extended molecular outflow, while MM2 is associated with the protostar that drives the compact molecular outflow recently found in this region. High angular resolution obervations at 1.36mm show that MM1 is unresolved and that MM2 splits into two subcomponents separated by ~1". The mass of MM1 is about 4Msun and it has a size of <300AU. This is consistent with MM1 being associated with a massive and dense (n(H2)>10^9cm-3) circumstellar dusty disk surrounding a high-mass protostar, which has not developed yet a compact HII region. On the other hand, the masses of the two separate components of MM2 are about 2Msun each. One of these components is a compact core with an intermediate-mass young protostar inside and the other component is probably a pre-stellar core. MM1 is the brigthest source at 1.36mm, while MM2 dominates the emission at 456microns. These are the only (sub)millimeter sources detected in the SMA observations. Hence, it seems that both sources may contribute significantly to the bolometric luminosity of the region. Finally, we argue that the characteristics of these two sources indicate that MM2 is probably in an earlier evolutionary stage than MM1.Comment: Accepted in AJ (Oct 31, 2010

Unveiling a Network of Parallel Filaments in the Infrared Dark Cloud G14.225–0.506

We present the results of combined NH_3 (1,1) and (2,2) line emission observed with the Very Large Array and the Effelsberg 100 m telescope of the infrared dark cloud G14.225–0.506. The NH3 emission reveals a network of filaments constituting two hub-filament systems. Hubs are associated with gas of rotational temperature T_(rot) ~ 15 K, non-thermal velocity dispersion σ_(NT) ~ 1 km s^(–1), and exhibit signs of star formation, while filaments appear to be more quiescent (T_(rot) ~ 11 K and σ_(NT) ~ 0.6 km s^(–1)). Filaments are parallel in projection and distributed mainly along two directions, at P.A. ~ 10° and 60°, and appear to be coherent in velocity. The averaged projected separation between adjacent filaments is between 0.5 pc and 1 pc, and the mean width of filaments is 0.12 pc. Cores within filaments are separated by ~0.33 ± 0.09 pc, which is consistent with the predicted fragmentation of an isothermal gas cylinder due to the "sausage"-type instability. The network of parallel filaments observed in G14.225–0.506 is consistent with the gravitational instability of a thin gas layer threaded by magnetic fields. Overall, our data suggest that magnetic fields might play an important role in the alignment of filaments, and polarization measurements in the entire cloud would lend further support to this scenario

Aplicación de redes neuronales profundas para la detección automática de nombres de dominio generados de manera algorítmica

En el contexto de la seguridad de redes de datos, un nombre de dominio generado de manera algorítmica (DGA, de sus siglas en inglés) es utilizado por el software malicioso (malware) para generar de manera dinámica un gran número de nombres de dominios de manera pseudo aleatoria, y luego utilizar un subconjunto de estos como parte del canal de Comando y Control (C&C). El presente proyecto se enfoca en el desarrollo de algoritmos de detección de DGA mediante la utilización de algoritmos de aprendizaje de máquinas en general y las redes neuronales profundas en particular. Durante el último periodo del proyecto, se ha puesto especial énfasis en la puesta a punto de los modelos obtenidos con vista a su despliegue en ambientes de producción. En particular lo referido a la evaluación de los distintos aspectos necesarios para la estimación del error de generalización, más allá de la división aleatoria entre conjuntos de entrenamiento y prueba.Eje: Seguridad informática.Red de Universidades con Carreras en Informátic

The challenge of preparing teams for the European robotics league: Emergency

© 2017, Society for Imaging Science and Technology. ERL Emergency is an outdoor multi-domain robotic competition inspired by the 2011 Fukushima accident. The ERL Emergency Challenge requires teams of land, underwater and flying robots to work together to survey the scene, collect environmental data, and identify critical hazards. To prepare teams for this multidisciplinary task a series of summer schools and workshops have been arranged. In this paper the challenges and hands-on results of bringing students and researchers collaborating successfully in unknown environments and in new research areas are explained. As a case study results from the euRathlon/SHERPA workshop 2015 in Oulu are given