• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Products & Services

OpenDNS Advances Predictive Security Using Data Science and Sound Wave Technology

Author avatar of Stephen LynchStephen Lynch
Updated — March 4, 2020 • 6 minute read
View blog >

In November 2012 at the SF Data Mining Meetup, OpenDNS CTO Dan Hubbard shared the stage with data scientists from Pandora. On the surface, the two companies couldn’t have appeared more different that night — one an Internet security company, the other an early pioneer in Internet radio. But when it comes to data science the companies are similar in that they both rely on having unique sets of data no other company can match.
During this particular meetup, Hubbard outlined a new approach to using data science for network security. He explained the unique view OpenDNS had of the world’s constantly-shifting Internet addresses and how this vantage point resulted in powerful insight into the traffic patterns of millions of daily users. Now, almost three years later under Hubbard’s leadership, OpenDNS is unveiling two new detection models that have been developed by the company’s data science team. The first new model, called Spike Rank (SPRank), is a detection system that uses mathematical concepts more commonly used to analyze sound waves in real time — much like similar techniques used for Pandora’s Music Genome Project. The second model, Predictive IP Space Monitoring, uses the clues uncovered by SPRank to anticipate attacks before they take place. Together the two models expand the company’s applied artificial intelligence system for blocking online attacks.
Taking a Data Science Approach to Security
From the beginning, Hubbard realized that OpenDNS’s millions of users around the world gave his team a dataset that was unlike any other, even among security companies. The company sees over 80 billion Internet requests daily and has access to years’ worth of network traffic data. Starting in 2012, Hubbard began to build the OpenDNS Security Labs research team, making sure to include a mix of specialized security researchers and hardcore data scientists. He was looking to adopt a hybrid approach that would use data-centric techniques to revolutionize traditional security research. One of the first researchers Hubbard brought on board was Dhia Mahjoub, Ph.D, a data scientist with specific expertise in distributed sensor networks.
During that same data mining meetup in 2012, OpenDNS’s research team outlined a model that already could predict domain names generated by the notorious Cryptolocker ransomware and some botnets. By late 2013, this predictive system could identify and block connections to the domain names used by malware — days or even weeks before attacks were launched.
As a next step, Mahjoub shifted focus to study the more complex attacks based on exploit kits, one of the most popular forms of malicious software used to infect computers. Once an unsuspecting user’s machine has been compromised, bad actors can add the infected machine to a botnet, steal online banking information, or install further malware. For example, in one recent case, a campaign taken down by Cisco’s Talos research team was estimated to generate more than $30 million for criminals, annually.
Through his work, Mahjoub discovered that the criminals behind the latest wave of attacks were using an entirely different set of approaches to hide the servers they set up to power their campaigns from detection. They would automate the process of using legitimate websites and domains that they had already hacked to make malicious web traffic look legitimate. Other criminals would launch entirely new domains, hosted in the dark corners of the Internet or use a network of proxy servers to hide their online activities. These evasion techniques made it very difficult for an automated system to detect if a new subdomain should be blocked or not, until a significant amount of time (weeks or months) had passed after an attack had already been launched.
Finding “Ghost Noises”
To tackle the problem of identifying criminals online, Mahjoub enlisted the help of fellow OpenDNS data scientist Thomas Mathew. Together, the two began looking for patterns in network requests for compromised websites — trying to find a method that would reliably detect these attacks. “We started asking ourselves questions such as ‘What are a set of features that are hard for criminals to change? What is something that people don’t really think about?’” Mathew said. “Then I realized…if you’re thinking about network traffic, it’s really nothing more than a waveform.”
How SPRank works
By looking at the network traffic in OpenDNS’s dataset as patterns, Mahjoub and Mathew could see that some domains (like gmail.com or amazon.com) have consistent high-volume incoming traffic. Others might have sudden spikes in traffic at regular intervals or follow some other pattern entirely. Mathew began cross-referencing these newly-discovered traffic patterns with the data already in Security Graph, OpenDNS’s database of “good” and “bad” Internet addresses. By examining how traffic patterns changed after they became malicious, Mathew realized that the traffic patterns closely echoed the sound waves that companies like Pandora classify every day.
“There’s already lots of mathematical theory that exists to describe sounds,” Mathew said. “Domains like Google and Yahoo! will have a similar ‘sound wave,’ because they get lots of regular traffic. The domains used in these attacks are only alive for a certain amount of time, so their patterns are much faster and shorter. To continue the analogy, these attacks sound like ghost noises — short beeps or chirps. Imagine a sound that appears for just a second and then is gone. You need to build a system that can match that pattern and identify those sounds as quickly as possible.”
Quickly, Mahjoub and Mathew discovered that this new system functioned as a kind of sonar for network security — it was able to quickly locate these transient patterns in the more than half a terabyte of traffic data that OpenDNS processes on an hourly basis. As they cross-referenced the domains tagged by SPRank (this new, patent-pending recognition system) with other systems, they found that it could identify these malware attack patterns with a high degree of accuracy. Now in production, the model identifies hundreds of compromised domains every hour — over a third of which are not detected by any other antivirus or antimalware scanner, according to VirusTotal. But even as they implemented a new system for identifying attacks in progress, the two wondered — how could they zero in on these attacks before they occurred?
How Effective is this Model?
Anticipating the Next Attack
After spending nearly two years studying how criminals were hiding “bad” domain names among “good” ones online, Mahjoub concluded that another model would be needed to predict attacks before they occur. Mahjoub used a more granular approach that catalogued the “fingerprints” left by bad actors’ collective infrastructure. He found that this method could identify over 300 new domains every hour that would be used to host malware in the future… allowing him to block these domains before an attack is ever launched.
Called Predictive IP Space Monitoring, this new model starts with the initial ‘clues’ found by SPRank. It uses eight major patterns in how servers are hosted to determine which domains will be the source of future malicious activity. For example, Mahjoub uncovered a new technique called domain shadowing, or using a compromised subdomain for a legitimate website (like “bad.opendns.com” instead of “opendns.com”) as the base for launching an attack. He also discovered how attackers could hide server addresses in a legitimate hosting provider’s infrastructure by manipulating the connections between networks. While no one indicator predicts an attack by itself, Mahjoub has been able to train his model over time by cross-referencing the list of predicted malicious servers with those that were actually involved in attacks.

Detecting Hacker Infrastructure
Click to enlarge

This new model essentially scores every step in the process that a criminal goes through to set up their own infrastructure — from choosing a hosting provider to deploying server images — to determine whether an attack is going to take place. By focusing on these unchangeable characteristics, Mahjoub’s model is able to ignore the individual evasion techniques that criminals employ and focus on identifying the overall pattern that precedes malicious activity.
“With this system, SPRank finds the clues, but analyzing the overall hosting infrastructure with Predictive IP Space Monitoring cracks open the case,” Mahjoub said.
Mahjoub is the first to say that this new artificial intelligence system in use at OpenDNS isn’t static. The point, he says, is that the bad guys are constantly finding new ways to hide online which forces the team’s own models to constantly adapt and learn from new data.
“When we build a model, it’s not like we can just build it and then go to bed,” Mahjoub said. “You need to constantly update it, because the bad guys are doing the same thing on their end.”
To learn more about this new approach to security, check out the OpenDNS Security Labs blog and infographic.

Suggested Blogs

  • Embrace SASE With Cisco February 28, 2023 3 minute read
  • Cisco Umbrella + Cisco Duo Are Better Together February 14, 2023 7 minute read
  • Cisco Enhances Cloud DLP With Unified Management and More December 8, 2022 3 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella