Masquerading traffic is artificially generated traffic mixed within normal traffic. Detecting this behavior change is often difficult because of the random behavior of network traffic, causing most unsupervised and supervised statistical modeling to fail.
David Rodriguez explains how Cisco performs large-scale Bayesian inference on DNS logs to uncover masquerading traffic in count data, representing the number of requests from tens of millions of stub IPs made to hundreds of millions of domains. Using novel mixtures of common discrete distributions, or hidden Markov processes, the company models some of the most sporadic network traffic volumes to domain names. From zero-inflated Poisson (ZIP) and zero-inflated negative binomial (ZINB) distributions and their more generalized forms, it models the gaps in requests as if they were just as important as the requests themselves, teasing out underlying changes in request patterns.
The company then combines Apache Spark and Stripe’s Rainier to distribute and perform Bayesian modeling, running thousands of simulations (using MCMC methods), to fit the underlying requester patterns. David demonstrates how the parameters to these models offer insights into changes that aren’t easily discerned by eye. Only with hundreds of thousands of simulated and archived traffic patterns associated with benign and malicious network traffic can you begin to unravel how to reduce false alarms and effectively monitor evolving online threats and masquerading malicious traffic.
David Rodriguez is a senior research engineer at Cisco Umbrella (formerly OpenDNS). He has coauthored multiple pending patents with Cisco in distributed machine learning applications centered around deep learning and behavioral analytics. He’s a frequent speaker about machine learning in cybersecurity at conferences including Flink Forward, Black Hat, Flocon, Virus Bulletin, and HitBSEC. David holds an MA in mathematics from San Francisco State University.
©2019, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org