13
©
SOLIDA SYSTEMS INTERNATIONAL 2017
4. Reputation Based Detection
4.1 Overview
The most basic form of intrusion and malware detection goes under the category of reputation-
based detection. This type of detection is performed by attempting to identify communication
with unfriendly hosts on the Internet. These are ones that are believed to be malicious, based
upon a reputation for previous or ongoing malicious activities.
Reputation based detection is performed by comparing requested IP addresses or domain
names, against a reputation list of hosts with negative reputations. Solida appliances allow for
downloading lists based on domain names and IP addresses. The data in these lists are
processed and stored in hash tables, so that fast lookups can be performed against them in real
time. These lists are automatically downloaded from a cloud-based service provided by Solida
Systems.
Both DNS queries and HTTP requests are monitored and compared against the reputation list. If
a hit is detected, the request can be either flagged as suspicious or completely dropped. It is
important to recognize that a hit in a reputation blacklist doesn’t always mean a host is
malicious. Hosts that were previously infected might have been cleaned up, and the maintainers
of the reputation lists might not yet have registered this.
4.2 DGA List
The most important data in the threat feed is the list of Domain Generation Algorithm (DGA)
generated domain names. Many ransomware and other serious malware, use DGAs to generate
a large number of domain names. These domain names are used to try and connect with their
command and control servers (C2). The large number of auto generated domain names makes it
difficult to track and shut down these C2 servers.
Most DGA engines use time as the deciding factor for what domain name to generate. Using
this method, a hacker will be able to predict what domain names their malware will generate,
so they can be ready when the malware attempts to connect to it at any given time. When the
hacker decides it is time to provide C2 access to his malware, the hacker simply registers a
domain name with a commercial DNS service, for a domain that the malware DGA will generate
in the near future. When the malware tries this specific DGA generated domain, a connection
will suddenly be made. At that point the malware knows it has found its C2 server.
The Solida threat list contains a very large amount of DGA domain names. These domain names
are generated from actual DGA engines, harvested from malwares collected from the Internet.
These DGA engines are running in a server, generating their time based domain names. This