How a “tower” turns into a “pyramid” - using the example of the DNS analysis and filtering example
In the previous article, we looked at how to present students with a course / diploma project or build a “tower” from the second floor . Let's build together a “tower” using the example of the topic of DNS traffic analysis and filtering that doesn’t lose its relevance, let’s follow as a “tower”, expanding in the lower floors, turns into a “pyramid” and how it helps the teacher.
Let's summarize in the form of a table the stages of preparation and presentation, we will distribute them to the floors of the future "tower". Recall that in this methodology:
In the market of information security tools, solutions are sought to protect the networks of enterprises and organizations, including network providers. Many of the presented solutions have functionality for monitoring, analyzing and filtering DNS traffic. Not only are the boxed software solutions that the customer places on demand, but also the service when DNS traffic is processed on external servers.
Monitoring should be carried out on the fly, so that it does not affect the speed of work of consumers. This means that the decision and the “good” or “bad” volume arrived and how it should be responded to by the system immediately, without delay, because then it is almost impossible to influence the situation (the cache on the clients, only the DNS can get to the monitoring system, but not all traffic).
')
The system must be productive, scalable, fault tolerant. At the same time, it is necessary to be able to use various filtering techniques - user lists, own lists and classifications, requirements of regulators, detect anomalous activity (dns-tunneling, search for names in search of C & C servers).
It is impossible to use only black / white lists, since they become too old and require tremendous efforts for constant updating, heuristic methods are needed. For example, a combination of several simple methods, while each of them separately does not provide a reliable answer.
Each domain has a number of characteristics, for example, creation date, hosting, owner, similarity with domains from black / white lists, length, usage statistics, etc. Obviously, some characteristics belong to a specific domain, and some other objects - a domain zone, clients (statistics, typical use), hosting / registrars / owners, obtained IP addresses / ranges, etc.
You must select a certain set of similar characteristics, enter metrics for them (how old for the creation date, reputation for hosting or zone, the owner of an individual or a large company) and calculate the impact, for example, through weighting factors on the final integral domain assessment, set a threshold value .
Solutions can be different, from neural networks to a set of tables recalculated on a separate cluster.
No, we will not descend to the 1st floor and go into separate subtasks now, this is done in relation to a readable course (more bias towards math or programming or administration). In addition, it is necessary to take into account the interests, hobbies, strengths and weaknesses of students.
Let us pay attention to the fact that there can be several, or even more precisely, solutions — there are many possible solutions, and there are even more possible implementations.
These solutions can and should be compared with each other:
Thus, previously performed work does not lose relevance - they can be used in comparisons, they can serve as tasks for optimization, they can serve as a benchmark by some criteria (speed, errors, etc.).
The comparison tasks themselves - this is the selection of the criterion and the justification of the methodology, the preparation and implementation of the comparison (complexity assessment, load testing, relevant materials for identifying errors of the first and second kind) - can also become separate projects.
IT and IB specialists often have to choose on the market one of the products of similar functionality and experience of meaningful comparison, when there is not only a sign from the supplier, it is necessary and useful.
By repeatedly using the accumulated material, you can improve the result, and not roll down to REPETITIO EST MATER STUDIORUM. So the "tower" and turns into a "pyramid."
Constructive suggestions and criticism are welcome.
What we already know from the previous article
Let's summarize in the form of a table the stages of preparation and presentation, we will distribute them to the floors of the future "tower". Recall that in this methodology:
- the work of the teacher begins with the second floor of the training (left column of the table);
- the fifth, fourth, and sometimes the third floors can be used practically without changes for a number of course / diploma projects.
| Preparation and study of the topic (down up) | "Floors" | Theme Presentation (top down) |
|---|---|---|
| A selection of topical companies that [most likely] use similar business objectives. | five | Business problem with examples of demand in the market |
| Generalization of a separate business function to a major business problem | four | Decomposition of a business task, it is divided into separate simple business functions, usually available to one specialist / developer |
| Projection on the business function | 3 | Formalization [with the necessary simplification] business functions as a transition to educational / study material |
| Main learning task | 2 | Getting a formalized task (and constraints for it) |
| A set of simple tasks | one | Decomposition of a task into a set of simple [under] tasks |
| [supposed] student knowledge | 0 foundation | Discussion and questions on understanding the material |
When the "tower" is built
5th floor
In the market of information security tools, solutions are sought to protect the networks of enterprises and organizations, including network providers. Many of the presented solutions have functionality for monitoring, analyzing and filtering DNS traffic. Not only are the boxed software solutions that the customer places on demand, but also the service when DNS traffic is processed on external servers.
Examples of services
Obviously, DNS filtering service providers, especially those that provide it for free, may pursue other goals than selfless help in combating unwanted network activity.
Comodo Secure DNS
Norton DNS
OpenDNS
Rejector.ru
Skydns
Yandex.DNS
Comodo Secure DNS
Norton DNS
OpenDNS
Rejector.ru
Skydns
Yandex.DNS
4th floor
Monitoring should be carried out on the fly, so that it does not affect the speed of work of consumers. This means that the decision and the “good” or “bad” volume arrived and how it should be responded to by the system immediately, without delay, because then it is almost impossible to influence the situation (the cache on the clients, only the DNS can get to the monitoring system, but not all traffic).
')
The system must be productive, scalable, fault tolerant. At the same time, it is necessary to be able to use various filtering techniques - user lists, own lists and classifications, requirements of regulators, detect anomalous activity (dns-tunneling, search for names in search of C & C servers).
3rd floor
It is impossible to use only black / white lists, since they become too old and require tremendous efforts for constant updating, heuristic methods are needed. For example, a combination of several simple methods, while each of them separately does not provide a reliable answer.
2nd floor
Each domain has a number of characteristics, for example, creation date, hosting, owner, similarity with domains from black / white lists, length, usage statistics, etc. Obviously, some characteristics belong to a specific domain, and some other objects - a domain zone, clients (statistics, typical use), hosting / registrars / owners, obtained IP addresses / ranges, etc.
You must select a certain set of similar characteristics, enter metrics for them (how old for the creation date, reputation for hosting or zone, the owner of an individual or a large company) and calculate the impact, for example, through weighting factors on the final integral domain assessment, set a threshold value .
Solutions can be different, from neural networks to a set of tables recalculated on a separate cluster.
2nd floor ver 2.0
No, we will not descend to the 1st floor and go into separate subtasks now, this is done in relation to a readable course (more bias towards math or programming or administration). In addition, it is necessary to take into account the interests, hobbies, strengths and weaknesses of students.
Let us pay attention to the fact that there can be several, or even more precisely, solutions — there are many possible solutions, and there are even more possible implementations.
These solutions can and should be compared with each other:
- according to the chosen algorithm;
- by performance;
- on errors of the first and second kind;
- on the complexity of support, on scalability, on the cost of ownership, etc.
Thus, previously performed work does not lose relevance - they can be used in comparisons, they can serve as tasks for optimization, they can serve as a benchmark by some criteria (speed, errors, etc.).
The comparison tasks themselves - this is the selection of the criterion and the justification of the methodology, the preparation and implementation of the comparison (complexity assessment, load testing, relevant materials for identifying errors of the first and second kind) - can also become separate projects.
Instead of conclusion
IT and IB specialists often have to choose on the market one of the products of similar functionality and experience of meaningful comparison, when there is not only a sign from the supplier, it is necessary and useful.
By repeatedly using the accumulated material, you can improve the result, and not roll down to REPETITIO EST MATER STUDIORUM. So the "tower" and turns into a "pyramid."
Constructive suggestions and criticism are welcome.
Source: https://habr.com/ru/post/325604/
All Articles