DNS TITAN

The Next Gen AI/ML based TCPWave Infrastructure Tracer and Analyzer
TCPWave
The TCPWave Titan provides a smart security blanket and guards the enterprise against exploits that use DNS as data exfiltration or a tunnel conduit. The speed at which large volumes of traffic get analyzed and the time taken to block malicious traffic from becoming potent makes TCPWave Titan a leader in the DDI space for AI/ML techniques for DNS InfoSec.
A complex machine learning model, that observes the traffic, learns from the traffic patterns and from the user inputs provides a sniper accuracy in determining what's clean and what's malicious or malware or C&C style traffic.
The DNS Query Logs are analyzed with the advanced threat intelligence techniques from TCPWave Product and Information Security Engineering.
  • ML algorithms in Titan can detect and stop threats by scanning the traffic for anomalies. Amazingly it can self-train itself to thwart an attack that's unknown to today's cyber intelligence

  • DNS Titan from TCPWave reduces the time taken to contain a DNS tunnel by 60%

  • The DNS Titan from TCPWave is a perfect solution for enterprises to prevent damages from malware or ransomware

  • The DNS Titan from TCPWave transforms information security at the core network services layer into a simple task

  • The DNS Titan's machine learning, mathematical models used for entropy calculations are extremely powerful in detecting activity that is abnormal

What does TCPWave provide?

TCPwave TITAN is one stop solution for all your DNS security needs. It uses advanced technologies where AI/ML plays a major role. One of the solutions that TITAN provides is DNS Tunnel Detection. These tunnel detection ML algorithms are trained using massive and varied DNS data thereby helping it to detect the malicious DNS traffic flowing through the DNS pathways in your organization.

What is DNS Tunnel?
  • DNS Tunneling is a method of cyber-attack that encodes the data of other programs or protocols in DNS queries and responses.
  • Recursive DNS resolvers (Cache servers) can be used to transmit intellectual property using encoded DNS queries. (Corporate espionage)
  • Malware can multiply itself where the Command and Control (C&C) servers make the malware on a client more and more potent.
  • Network security is compromised by DNS tunnels.
  • Captive portals can be evaded using DNS tunnels.
Image
How does TCPWave analyze?
1.Machine Learning

The trained machine learning model to classify anomalous DNS queries. Uses powerful Random Forest Classifier. Ability to retrain the model from the UI using organization specific whitelisted data.

2.Applying The Model

The machine learning model is applied on the contiguous live packets taken at the regular interval of time. The detected queries by this model will be passed to traffic analysis rule based model.

3.Traffic Analysis

The filtered queries by ML model pass through the set of rules defined by the network administrator such as query count threshold from a host, query count threshold for a domain and other critical parameters.

4.Public domains

Queries for top 1000 public domains are whitelisted and are filtered before sending to ML model for detection.

5.Data Visualization

Various charts such as Top 10 domains queried, Top 10 hosts queried, Top 10 successfully queried domains, Top 10 failed domains, Top 10 FQDN lengths and many other charts give insight to the admin and help to define realistic rules.

6.Get Alerted

The network administrator will see a notification on the Dashboard generated by the monitoring engine when malicious domains are detected. Admin can then block the domain in RPZ from the UI. Admin can also whitelist domains. Admin can import domain reputation data for the system to remember while making decision.

TCPWave