Botconf Author Listing

Yohai Einav

Last known affiliation: Microsoft

Date: 2020-12-04
Honeypot + graph learning + reasoning = scale up your emerging threat analysis
Ali Fakeri-Tabrizi 🗣 | Hongliang Liu 🗣 | Anastasia Poliakova | Yohai Einav

Abstract (click to view)

You must see thousands of new threats hitting your honeypot, what would you do next? Buying more coffee for the security research team so they can keep analyzing more? At Alibaba Cloud, we have the same flood of emerging new threats in our honeypot and we want to present our work to scale up the new threat analysis, with our honeypot system, the graph learning algorithm and the reasoning framework, surely, the most important, human in the loop!

The real-life problem comes after having a large honeypot system. We see new bots in the honeypot every hour, and they also try their best to fool our honeypot. Alibaba Cloud security team’s honeypot supports ssh, telnet, and HTTP protocols, that allows us to catch attacks on different levels. However, with new attacks vectors, it might be difficult to track existing malicious comparing. An attacker can easily change the hash value of binaries, structure of a payload, or adopt new vulnerabilities to attack with the same set of TTP (Tactics, Techniques, and Procedures). To make it worse, such changes are happening every hour.

Date: 2017-12-08
Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples
Yohai Einav 🗣 | Hongliang Liu | Alexey Sarychev

Abstract (click to view)

We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.

Scroll to Top