DNS TITAN

The Next Gen AI/ML based TCPWave Infrastructure Tracer and Analyzer
TCPWave
The TCPWave Titan provides a smart security blanket and guards the enterprise against exploits that use DNS as data exfiltration or a tunnel conduit. The speed at which large volumes of traffic get analyzed and the time taken to block malicious traffic from becoming potent makes TCPWave Titan a leader in the DDI space for AI/ML techniques for DNS InfoSec.
A complex machine learning model, that observes the traffic, learns from the traffic patterns and from the user inputs provides a sniper accuracy in determining what's clean and what's malicious or malware or C&C style traffic.
The DNS Query Logs are analyzed with the advanced threat intelligence techniques from TCPWave Product and Information Security Engineering.
  • ML algorithms in Titan can detect and stop threats by scanning the traffic for anomalies. Amazingly it can self-train itself to thwart an attack that's unknown to today's cyber intelligence

  • DNS Titan from TCPWave reduces the time taken to contain a DNS tunnel by 60%

  • The DNS Titan from TCPWave is a perfect solution for enterprises to prevent damages from malware or ransomware

  • The DNS Titan from TCPWave transforms information security at the core network services layer into a simple task

  • The DNS Titan's machine learning, mathematical models used for entropy calculations are extremely powerful in detecting activity that is abnormal

What does TCPWave provide?

TCPWave TITAN is the one-stop solution for all your DNS security needs. It uses advanced technologies where AI/ML plays a significant role. One of the solutions that TITAN provides is DNS Tunnel Detection. These tunnel detection ML algorithms are trained using massive and varied DNS data, thereby helping it detect the malicious DNS traffic flowing through the DNS pathways in your organization.

Supervised learning is the machine learning task of learning a function that maps an input to an output based on input-output pairs given in the training phase. It infers a function from labeled training data consisting of training examples. In supervised learning, each example is a pair consisting of an input object (typically a multidimensional vector) and the desired output value (also called the supervisory signal). A supervised learning algorithm analyzes the training data and produces an inferred function, which can be used for mapping new examples. An optimal scenario allows the algorithm to determine the class labels for unseen instances correctly. It requires the learning algorithm to generalize from the training data to unseen situations in a "reasonable" way.

A random forest classifier is used as a classification algorithm. A random forest classifier is a bootstrapping algorithm with multiple decision trees acting in the model. The fundamental concept behind the random forest is the wisdom of crowds. Many relatively uncorrelated models (trees) operating as a committee outperforms any of the individual constituent models if we have 1000 samples of data with ten variables. Random forest tries to build multiple decision tree models with different samples and different initial variables. For instance, a random sample of 100 rows and 5 randomly chosen initial variables were used to build a decision tree model. It repeats the process (say) 10 times and then makes a final prediction on each observation. This final prediction can be the mean of each prediction.

What is DNS Tunnel?
  • DNS Tunneling is a method of cyber-attack that encodes the data of other programs or protocols in DNS queries and responses.
  • Recursive DNS resolvers (Cache servers) can be used to transmit the intellectual property using encoded DNS queries.
  • Malware can multiply itself, where the Command and Control (C&C) servers make the malware on a client more and more potent.
  • DNS tunnels compromise network security.
  • Captive portals can be evaded using DNS tunnels.
Image
How does TCPWave analyze?
1.Machine Learning

The trained machine learning model to classify anomalous DNS queries uses a powerful Random Forest Classifier. Ability to retrain the model from the UI using organization-specific whitelisted data.

2.Traffic Analysis

TThe queries filtered by the ML model pass through the set of rules defined by the network administrators. The rules can be query count threshold from a host, query count threshold for a domain, and other critical parameters.

3.Public domains

Queries for the top 1000 public domains are whitelisted and are filtered before sending to the ML model for detection.

4.Applying The Model

The machine learning model is applied to the contiguous live packets taken at the regular time interval. The detected queries by this model are passed to the traffic analysis rule-based model.

5.Data Visualization

Various charts such as top 10 domains queried, top 10 hosts queried, top 10 successfully queried domains, top 10 failed domains, top 10 FQDN lengths, and many other charts give insight to the admin and help to define realistic rules.

6.Get Alerted

The network administrator receives a notification on the Dashboard generated by the monitoring engine when malicious domains are detected. Admin can then block the domain in RPZ from the UI. Administrators can also whitelist domains. Admin can import domain reputation data for the system to remember while making decisions.

TCPWave