Abstract
Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.
Leveraging 28,000 expert-labeled endpoints derived from ≈100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints’ static metadata properties and not network payloads or routing dynamics. Performance validates this straightforward approach, achieving 99.4% accuracy at binary threat classification and 93% accuracy on the more granular task of severity prediction. This performance is driven by features capturing a domain’s behavioral history and registration properties. More qualitatively we discover the prominent role that dynamic DNS providers and “shared-use” public services play as perpetrators seek agile and cost-effective hosting infrastructure.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proc. of 19th USENIX Sec. Sym. (2010)
Antonakakis, M., Perdisci, R., Lee II, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proc. of 20th USENIX Sec. Sym. (2011)
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: Detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Security Symposium (2012)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)
Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS 2009: Proceedings of the 16th Network and Distributed System Security Symposium (2009)
Bilge, L., Balzarotti, D., Robertson, W.K., Kirda, E., Kruegel, C.: Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In: ACSAC 2012: Proc. of the 28th Annual Comp. Security Apps. Conf. (2012)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding malicious domains using passive DNS analysis. In: NDSS 2011: Proceedings of the 18th Network and Distributed System Security Symposium (2011)
Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing URL detection using online learning. In: AISec 2010: Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security (2010)
Caballero, J., Grieber, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)
Center for Strategic and International Studies and McAfee. The economic impact of cybercrime and cyber espionage (2013), http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
Chang, J., Venkatasubramanian, K.K., West, A.G., Lee, I.: Analyzing and defending against web-based malware. ACM Computing Surveys 45(4) (2013)
Dai, K., Zhao, L., Nie, Z., Wen, J.-R., Wang, L., Li, Y.: Detecting online commercial intention (OCI). In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web (2006)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys 44(2) (2008)
Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET 2010: Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats (2010)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)
Gu, G., Porris, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS 2008: Proceedings of the 15th Network and Distributed System Security Symposium (2008)
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA data mining software: An update. SIGKDD Explorations 11(1) (2009)
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: IMC 2013: Proceedings of the 13th ACM Conference on Internet Measurement (2013)
Jøsang, A., Ismail, R.: The beta reputation system. In: Proceedings of the 15th Bled eCommerce Conference (2002)
Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th USENIX Security Symposium (2009)
Kong, D., Yan, G.: Discriminant malware distance learning on structural information for automated malware classification. In: KDD 2013: Proceedings of the 19th SIGKDD Conference on Knowledge Discovery and Data Mining (2013)
Kosba, A.E., Mohaisen, A., West, A.G., Tonn, T.: ADAM: Automated detection and attribution of malicious webpages (poster). In: CNS 2013: Proc. of the 1st IEEE Conference on Communications and Network Security (2013)
Krebs, B.: Malware dragnet snags millions of infected PCs. Krebs on Security Blog (September 2012), http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/
Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G.M., Savage, S.: Click trajectories: End-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)
Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In: KDD 2009: Proceedings of the 15th SIGKDD Conference on Knowledge Discovery and Data Mining (2009)
McGrath, D.K., Gupta, M.: Behind phishing: An examination of phisher modi operandi. In: LEET 2008: Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (2008)
Mohaisen, A., Alwari, O., Larson, M.: A methodical evaluation of antivirus scans and labels. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 231–241. Springer, Heidelberg (2013)
Ntoulas, A., Najor, M., Manasse, M., Fetterly, D.: Detecting spam web pages through content analysis. In: WWW 2006: Proceedings of the 15th International World Wide Web Conference (2006)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the 17th USENIX Security Symposium (2008)
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: et al. The ghost in the browser analysis of web-based malware. In: HotBots 2007: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (2007)
Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: Leveraging surfing crowds to detect malicious web pages. In: CCS 2013: Proceedings of the 20th ACM Conference on Cmputer and Communications Security (2013)
Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time URL spam filtering service. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)
West, A.G., Agrawal, A., Baker, P., Exline, B., Lee, I.: Autonomous link spam detection in purely collaborative environments. In: WikiSym 2011: Proceedings of the 7th International Symposium on Wikis and Open Collaboration (2011)
Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: IMC 2010: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (2010)
Yan, G., Brown, N., Kong, D.: Exploring discriminatory features for automated malware classification. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 41–61. Springer, Heidelberg (2013)
Yen, T.-F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., Kirda, E.: Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In: ACSAC 2013: Proceedings of the 29th Annual Computer Security Applications Conference (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
West, A.G., Mohaisen, A. (2014). Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-08509-8_9
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08508-1
Online ISBN: 978-3-319-08509-8
eBook Packages: Computer ScienceComputer Science (R0)