This post outlines some experiments I ran using Auxiliary Loss Optimization for Hypothesis Augmentation (ALOHA) for DGA domain detection. (Update 2019–07–18) After getting feedback from one of the ALOHA paper authors, I modified my code to set loss weights for the auxilary targets as they did in their paper (Weights…

In this post, I share my experience in building and maintaining large collections of benign IOCs (whitelists) for Threat Intelligence and Machine Learning Research. Whitelisting is a useful concept in Threat Intelligence correlation since it can be very easy for benign observables to make their way into threat intelligence indicator…

Attempting to use DNS MX records to map the global Email Security Provider landscape. — If you have read my blog before, you may realize that I really love DNS data and dns analytics. In this post, I share some experiences in using mostly DNS data for identifying the visible footprint of popular email security providers. This may not be terribly novel, but it was…

In this post we explore a large collection of Sender Policy Framework (SPF) records to see what they might tell us about global email sending trust relationships and how they relate to email security providers. …

In this post, I share a few links of examples of using Weak Supervision for cyber security use cases. I was surprised that I couldn’t find more examples. According to wikipedia… Weak supervision is a branch of machine learning where noisy, limited, or imprecise sources are used to provide supervision…

In this post I share 9 links to resources related to Network Beacon detection. Network beacons are continuous automated communications between 2 hosts. …

In this short blog, I share 3 papers and 7 tools that focus on detecting cyber squatting domains (including typosquating, homograph, combosquatting, etc.). Detection of Cybersquatted Domains (Master’s Thesis) by Patrick Frischknecht Hiding in plain sight: A longitudinal study of combosquatting abuse Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse Tools for generating cybersquatting domains (for use in detection)

In this short blog, I share six papers that focus on detecting malicious lateral movement (a.k.a. pivoting, a.k.a. island hopping). (Update 2021–06–06: Added 2 more recent lateral movement papers) (Update 2022–05–15: Added 2 more recent lateral movement papers + 2 datsets) Papers: Latte: Large-Scale Lateral Movement Detection Detection and Threat…

In this short blog, I share seven papers that focus on detecting Dictionary Domain Generation Algorithm (DGA) domains, A.K.A. Word-based DGAs. Dictionary DGAs are algorithms seen in various malware families (suppobox, matsnu, gozi, rovnix, etc.) that are used to periodically generate a large number of domain names that use pseudo-randomly…