OpenDNS Advances Predictive Security Using Data Science and Sound Wave Technology
OpenDNS research team develops security ‘sonar’ that predicts malicious attacks by analyzing the ‘sound’ of network traffic patterns
San Francisco, Calif., — November 19, 2015 — OpenDNS, a leading provider of cloud-delivered security, today shared new research from OpenDNS Security Labs that applies sound wave technology to network traffic. In a company blog post, OpenDNS data scientists disclosed details of their development efforts and findings for two new threat detection models that can predict malicious behavior based on the analysis of network traffic patterns.
The first model, Spike Rank (SPRank), functions like a sonar system for network security — it can detect the ‘sound waves’ of malicious attacks. By examining how traffic patterns change when malicious campaigns are launched, OpenDNS’s data scientists discovered that these patterns closely echoed the sound waves that companies like Pandora and Shazam analyze every day to improve music listening discovery. They applied data science analysis techniques, similar to those used by Internet radio and music discovery apps, to network traffic. Through automated sound wave analysis, SPRank can quickly ‘hear’ malicious traffic patterns in the more than half a terabyte of traffic data that OpenDNS processes on an hourly basis. Based on the team’s findings, this model can detect malicious attack patterns with a high degree of accuracy — it identifies hundreds of compromised domains every hour — over a third of which (according to third party sources) are not detected by any other antivirus or anti-malware scanner.
“There’s already lots of mathematical theory that exists to describe sounds,” said OpenDNS researcher, Thomas Mathew. “Domains like Google and Yahoo! will have a similar ‘sound wave,’ because they get lots of regular traffic. The domains used in malicious attacks are only alive for a certain amount of time, so their patterns are much faster and shorter. To continue the analogy, these attacks sound like ghost noises — short beeps or chirps. Imagine a sound that appears for just a second and then is gone. SPRank can match that pattern and identify those sounds very quickly.”
The second model, Predictive IP Space Monitoring, predicts attacks before they happen. Starting with the compromised domains identified through SPRank as initial ‘clues’, this model analyzes eight major patterns in how criminals set up their technology infrastructure (for example, how the servers they deploy are hosted) to determine which domains will be the source of future malicious activity. By focusing on specific unchangeable characteristics, this model is able to ignore the individual evasion techniques that criminals employ and hones in on identifying the overall pattern that precedes malicious activity. This model identifies over 300 new domains every hour that would be used to host malware in the future…and blocks them before they are ever used in an attack campaign.
For more information on this research, please visit:
OpenDNS Corporate Blog Post: https://blog.opendns.com/2015/11/19/opendns-cracks-predictive-security/
About OpenDNS (now a part of Cisco):
OpenDNS, acquired by Cisco in August, 2015, is a leading provider of network security and DNS services, enabling the world to connect to the Internet with confidence on any device, anywhere, anytime. The Umbrella cloud-delivered network security service blocks advanced attacks, as well as malware, botnets and phishing threats regardless of port, protocol or application. Its predictive intelligence uses machine learning to automate protection against emergent threats before they can reach customers. OpenDNS protects all devices globally without hardware to install or software to maintain. For more information, please visit: www.opendns.com.