Exploring botnets in VR

by Asaf Nadler on May 13, 2019

By Asaf Nadler & Lior Lahav

Botnets often use domain generation algorithms (DGAs) to select a domain name, which bots use to establish communication channels with their command and control servers (C2). Since Akamai analyzes over 2.2 trillion DNS requests per day, and detects thousands of active algorithmically generated domains (AGDs) per hour, our data science team decided to try to dive a little deeper

The team constantly explores different techniques to visualize the thousands of AGDs detected daily in a form that both represents the volume of AGDs and relationships between these botnets. What better way to explore the visual representation than with VR?

That’s exactly what we did – we recently presented a virtual reality demo at the Cybertech TLV 2019 conference where conference attendee’s donned a VR headset and took a trip through algorithmically generated domains.

How would we map algorithmically generated domain names to points in space? In a previous Akamai blog post, we’ve presented the Domain2Vec system that assigns domain names with a numeric vector representation such that domains are mutually accessed with be assigned with vectors that are in proximity to one another. The Domain2Vec system is set to output representations in a 100 dimension space to capture an ideal amount of information about the interrelations between domain names. For instance: the domain “example.com” will be mapped to a vector (x1, x2, x3, …, x100).

Because humans have a hard time easily understanding data with 100 different dimensions, it can be challenging to explore questions about the relationships between botnets. Our solution? We thought outside the box, and decided that we were going to project the high-dimensional space to a 3D space using a dimensionality reduction algorithm called T-SNE. From there, we would then visualize that 3D data in virtual reality. This solution allows researchers to “fly” through the space of domain names (AGD) where groups of AGDs that are mutually accessed appear as a dense cluster.

Yes, you read that right. People had the chance to fly through our data.

We developed a demo of this experience using Unity, which is a cross-platform game engine. During development, we encouraged employees at the Tel Aviv office to interact with it.

Who wouldn’t want to interact and explore botnets?

Bringing this experience to Cybertech TLV 2019 allowed security professionals and enthusiastic visitors to really dive deep into the botnet landscape in a way that hasn’t been readily available. For instance, some visitors decided to explore the set of recently detected algorithmically generated domains that were generated by the Necurs spambot, while others would focus on ones that were generated by the Ramnit banking trojan. Based on the focus points, we could provide additional information about the botnet while the visitors visualize it.

We can’t wait to see how we can utilize this new visualization, and we can’t wait until the next opportunity we have to bring this experience to another conference soon. Stay tuned to see when you might be able to take a tour through our data with the help of VR.