0

AI threat detection

Does the AI detect malicious domains on the spot when an user tries to access the domain? Or does it discover new domains and creates a blacklist of the malicious ones?

20 replies

null
    • Hey
    • 1 yr ago
    • Reported - view

    I'd say logic would say it's done on the spot as having a filter would brake the entire use, as it's meant to be an extra 0 day layer.

    Although I have no confirmation, I've tried to understand it when it first came out, if Malicous or Malwaretisenent website was up, it would detect the site, when the same site was down, it wouldn't detect it. So I would say from what I've seen it seems as if it's on the spot analysis. But I can't guarantee, until we ask them.

      • Hey
      • 1 yr ago
      • Reported - view

      To clarify, it's not on DNS request. Which I thought it was.

      "We use passive logs to detect new domains and we are constantly crawling millions of domains for detection in order to have a timely response."

      That's a direct quote, and as for why they don't do it.

      "Detection is not done on the DNS server itself at request time if it is your question. That would not scale and would impact performance."

      So, not what I was hoping for but wanted to clarify asap as I don't want to spread misinformation.

      I wouldn't lie if I said I would have been extremely happy if it was based on request though, and the behavior of it catching a few hour old reports from lesser known sites for me implied that it did. So it still works quite amazingly, but it would have been nice to have request based detection but, in terms of how they said it would impact the performance and speed, it's the right move.

      I'd also like to say that I tried to explain that I was assuming in the first comment, if I haven't made it clear sorry about that. Made a mistake with my assumption, so if I didn't explain properly sorry about that gotta own upto my mistakes.

      • Hey
      • 1 yr ago
      • Reported - view

      I'd also add that, with how quick it picks it up and how it made me think that it was doing these live, its still a great layer and I'd still recommend turning it on.

      It would have been better for it do it on request basis as if a domain just went live, until it was found somewhere it could be a threat. So it's not perfect and I'd have liked to see it that way.

      But on that note if it was going to impact anything such as Price, Speed, Length and add processing and complications etc. With how qucik it picks up threats that were reported 30 minutes or less. They are still doing it well to a point where I would keep saying that it's amazing.

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Hey Yeah probably, but the thing is I find the NextDns team pretty inactive. I had asked this question in the Github, but got no answer. Many such questions go unanswered for weeks and more and they don't pay any attention. 

      Although from what I have read about Dnsfilter, their AI works in a way where the AI discovers malicious domains by itself and then adds them to their blacklisted domains list. And I think the AI and Machine learning in CleanBrowsing also works in the same way. 

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Sohan Ray One big doubt I had additionally is that does this AI of NextDns have machine learning capabilities? Because if it doesn't it'll have to be manually improved everytime there's some new kind of malicious threats out there. And seeing NextDns people so inactive I wonder how much the AI would update to detect new kind of threats. 

      • Hey
      • 1 yr ago
      • Reported - view

      Sohan Ray The basic function of the AI is to, well detect unknown threats and also be trained on the basis of bad sites and good sites so it can slowly figure out what's good and what's bad. So I'd say that, there is a machine learning layer ofc.

      For how much they update it, that part I don't know about, but compared to DNSFilter a company focused on it, it was pulling ahead, even if It wasn't a huge percentile in terms of pure AI capabilities.

      At the bottom of the page, I've also re quoted a new reply as it makes far more sense, what they do is, constantly monitor for new Domains and use Crawlers to find and blacklist domains as fast as possible, that worked out in my mind because I knew most of the domains I've tested against DNSFilter were less than 30 minutes old and had, new domains that were registered on that day.

      So it would seem as they are all using a similar method, not live on the sport but scanning actively for malware.

      The only question I have is, are you sure about the DNSFilter making a blacklist part, when I was trying to visit malicious pages, nearly every time there would be a loading page beforehand, after that it would show why it was blocked as if it was running the scan live on the spot.

      For their activeness, they aren't super active on the forums but in terms of problems and backend stuff seems quick, when the .co.uk thing happened, I thought someone was having a issue instead of the entire service having one because by the time it was reported and I got to see the thread that day, they fixed the problem. So it would seem that they monitor the service quite often, so that hopefully applies to their functions, but I don't know about it exactly.

      • Hey
      • 1 yr ago
      • Reported - view

      "DNSFilter is the only DNS threat protection providing real-time domain analysis" seems as if DNSFilter does it real-time. That's actually interesting as, on my testing, it had a lower detection ratio. So what NextDNS said about it being better than a live system would hold true.

      That's why the loading screen was popping up on the DNSFilters end I guess. I'm surprised that, a better made scanner/crawler outperforms real-time.

      I guess there are optimizations, seems like the whole Apple having less ram but keeping more apps than an Android device with double the ram scenario. I'm honestly surprised but it makes sense.

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Hey I had actually visited Dnsfilter website and looked at their comparison to NextDns. You can read the file attached which mentions the details. 

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Hey well then the working methodology of AI in Nextdns is well and good. Only I hope the detected malicious domains are recorded and saved the blacklist and not just saved temporarily. 

      • Hey
      • 1 yr ago
      • Reported - view

      Sohan Ray I'd really like to look into the date of the publication as there was no clear comparison of the AI capabilities as if it doesn't have it. So I think it might be an older report before NextDNS announced its AI. They also didn't compare against real world malware.

      • Hey
      • 1 yr ago
      • Reported - view

      Sohan Ray I didn't do an older test as of right now, but from the easy test by a script, out of the 823 Domains that were blocked 562 were blocked With AI-Driven-Threat detection. That gives a solid detection ratio of 68.29 so that purely by the AI would incline me to say its doing a pretty great job.

      They explained that instead of on lookup they check the domains when they come out and use crawlers and generally keep it up to date by regularly scanning them.

      My initial thought when I learned it wasn't live was how is it outperforming a on request result, it would seem as a better made system that auto scans new domains and keeps them scanned outperforms a live one. I really wish I could compare against DNSFilter, I'll try to get access from a friend if possible.

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Hey ok! Let me know when you check the domains against Quad9 and CleanBrowsing. 

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Hey yes you're right. The comparison was done when NextDns hadn't introduced its AI. But if you read along, it says that Dnsfilter AI discovers malicious domains and then adds them to their blacklists. 

      I wonder if NextDns AI does that too. Discover malicious domains and then add them to the blacklist database for as long as they are a threat, no matter how long, years  decades whatever the case. 

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Sohan Ray Also I really hope the AI has machine learning techniques too, as without it soon it'll loose its effectiveness against detecting malicious domains, that would have evolved.

      • Hey
      • 1 yr ago
      • Reported - view

      Sohan Ray A friend graciously gave me a DNSFilter account, thanks to him and his purchase lol. Currency exchanges man, things get rough sometimes. Anyways I also have results from their analysis.

      • Hey
      • 1 yr ago
      • Reported - view

      Sohan Ray 49.8%+5% (Different categories) so 54.8% blocked by their Entire process, they don't specify AI exactly but I'm guessing it is, the rest is Blocked By their Newly Registered Domains. So a nearly clean sheet on both ends but without Newly Registered domain blocking, it would have missed quite a lot. They also missed 5 but not bad honestly out of 823 that's more than acceptable and quite amazing to see both perform highly. This should answer your AI concerns. I'll dm you and anyone else who sends a dm the results of Quad9 and Clean browsing as I don't want to fill the forums.

      • Hey
      • 1 yr ago
      • Reported - view

      Sohan Ray I can't comment on those details about the AI since I honestly don't know, I'd guess so but I'd rather not ask a ton of questions to them.

      • Sohan_Ray
      • 1 yr ago
      • Reported - view

      Hey ok👍🏻 Got it! 

    • Hey
    • 1 yr ago
    • Reported - view

    New update on how it works, my intial assumption isn't exactly it but instead of doing it on Query they do it when the domain comes up here is an exact quote.

    "To be clear, our system is better than live as we perform detection on domains as soon as they come into existence (before you would even query them for the first time) and keep scanning them on a regular basis. We use different ways to learn about those domains which is also used for NRD."

    I was honestly little surprised about the response since I compared it to DNSFilter and that's meant to be live and it was even better, so it didn't make sense in my head.

    Now it makes far more sense for why and how it's able to detect new domains so quickly and matches my intial statement of 0 day security.

    So happy to say, I was wrong, but the security given is somehow even better than live as I've seen from my testing agaiant a live system through DNSFilter where NextDNS was better at detection. 

    This answers the question I had when I intially had the first response,

    Okay so it's not live but somehow detects threats that were reported less than 30 minutes ago (Newly Registered on that day as well) and gets a better result than DNSFilter, so I was questioning my method of testing and if I was making a mistake with my methodology.

    Hopefully this answers your question as well, it made me understand their way of doing this a lot better personally.

    • TIBCSI66
    • 3 wk ago
    • Reported - view

    It's worth using?

    I'm also asking because of the beta status.

Content aside

  • 3 wk agoLast active
  • 20Replies
  • 481Views
  • 3 Following