Regular Expression in Network Security

        The table shows some IPs queried some suspicious DNS domain names within an office network. Since these names are composed of the random strings, it indicates some devices (laptops or wireless switches) were compromised within the network.
        To detect those strange DNS names, we first perform DNS protocol analysis against the network traffic. Then analyzed results are stored in the metadata format. The DNS request metadata records which domain looks for mapping and the DNS response metadata records which IP address is mapped to a particular domain name. These metadata are then normalized and stored in ES for big-data analysis. This ETL process is done by an intelligent TAP (iTAP) against mirrored network traffic without affecting any server.
        The DNS names are divided into levels. In www.yahoo.com, "com" is the first level, and "yahoo" is the second, and so on. To compute the first level domain, we can use a regular expression to query ES. This feature is very powerful and one line of regular expression can do as much work as hundreds of lines of code can do.
        The iTAP can handle 10Gbps plus linerate and the metadata are much compressed and thus regular expressions can be effectively applied even without hardware accelerators.
        Enjoy ES regular expressions!





© 2013-2019 IDO-NET All rights reserved.