Skip to main content
SpringerLink
Log in

Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8550))

Abstract

Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.

Leveraging 28,000 expert-labeled endpoints derived from ≈100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints’ static metadata properties and not network payloads or routing dynamics. Performance validates this straightforward approach, achieving 99.4% accuracy at binary threat classification and 93% accuracy on the more granular task of severity prediction. This performance is driven by features capturing a domain’s behavioral history and registration properties. More qualitatively we discover the prominent role that dynamic DNS providers and “shared-use” public services play as perpetrators seek agile and cost-effective hosting infrastructure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proc. of 19th USENIX Sec. Sym. (2010)

    Google Scholar 

  2. Antonakakis, M., Perdisci, R., Lee II, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proc. of 20th USENIX Sec. Sym. (2011)

    Google Scholar 

  3. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: Detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Security Symposium (2012)

    Google Scholar 

  4. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  5. Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS 2009: Proceedings of the 16th Network and Distributed System Security Symposium (2009)

    Google Scholar 

  6. Bilge, L., Balzarotti, D., Robertson, W.K., Kirda, E., Kruegel, C.: Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In: ACSAC 2012: Proc. of the 28th Annual Comp. Security Apps. Conf. (2012)

    Google Scholar 

  7. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding malicious domains using passive DNS analysis. In: NDSS 2011: Proceedings of the 18th Network and Distributed System Security Symposium (2011)

    Google Scholar 

  8. Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing URL detection using online learning. In: AISec 2010: Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security (2010)

    Google Scholar 

  9. Caballero, J., Grieber, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)

    Google Scholar 

  10. Center for Strategic and International Studies and McAfee. The economic impact of cybercrime and cyber espionage (2013), http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf

  11. Chang, J., Venkatasubramanian, K.K., West, A.G., Lee, I.: Analyzing and defending against web-based malware. ACM Computing Surveys 45(4) (2013)

    Google Scholar 

  12. Dai, K., Zhao, L., Nie, Z., Wen, J.-R., Wang, L., Li, Y.: Detecting online commercial intention (OCI). In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web (2006)

    Google Scholar 

  13. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys 44(2) (2008)

    Google Scholar 

  14. Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET 2010: Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats (2010)

    Google Scholar 

  15. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)

    Google Scholar 

  16. Gu, G., Porris, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)

    Google Scholar 

  17. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS 2008: Proceedings of the 15th Network and Distributed System Security Symposium (2008)

    Google Scholar 

  18. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA data mining software: An update. SIGKDD Explorations 11(1) (2009)

    Google Scholar 

  19. Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: IMC 2013: Proceedings of the 13th ACM Conference on Internet Measurement (2013)

    Google Scholar 

  20. Jøsang, A., Ismail, R.: The beta reputation system. In: Proceedings of the 15th Bled eCommerce Conference (2002)

    Google Scholar 

  21. Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th USENIX Security Symposium (2009)

    Google Scholar 

  22. Kong, D., Yan, G.: Discriminant malware distance learning on structural information for automated malware classification. In: KDD 2013: Proceedings of the 19th SIGKDD Conference on Knowledge Discovery and Data Mining (2013)

    Google Scholar 

  23. Kosba, A.E., Mohaisen, A., West, A.G., Tonn, T.: ADAM: Automated detection and attribution of malicious webpages (poster). In: CNS 2013: Proc. of the 1st IEEE Conference on Communications and Network Security (2013)

    Google Scholar 

  24. Krebs, B.: Malware dragnet snags millions of infected PCs. Krebs on Security Blog (September 2012), http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/

  25. Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G.M., Savage, S.: Click trajectories: End-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

  26. Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In: KDD 2009: Proceedings of the 15th SIGKDD Conference on Knowledge Discovery and Data Mining (2009)

    Google Scholar 

  27. McGrath, D.K., Gupta, M.: Behind phishing: An examination of phisher modi operandi. In: LEET 2008: Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (2008)

    Google Scholar 

  28. Mohaisen, A., Alwari, O., Larson, M.: A methodical evaluation of antivirus scans and labels. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 231–241. Springer, Heidelberg (2013)

    Google Scholar 

  29. Ntoulas, A., Najor, M., Manasse, M., Fetterly, D.: Detecting spam web pages through content analysis. In: WWW 2006: Proceedings of the 15th International World Wide Web Conference (2006)

    Google Scholar 

  30. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the 17th USENIX Security Symposium (2008)

    Google Scholar 

  31. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: et al. The ghost in the browser analysis of web-based malware. In: HotBots 2007: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (2007)

    Google Scholar 

  32. Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: Leveraging surfing crowds to detect malicious web pages. In: CCS 2013: Proceedings of the 20th ACM Conference on Cmputer and Communications Security (2013)

    Google Scholar 

  33. Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time URL spam filtering service. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

  34. West, A.G., Agrawal, A., Baker, P., Exline, B., Lee, I.: Autonomous link spam detection in purely collaborative environments. In: WikiSym 2011: Proceedings of the 7th International Symposium on Wikis and Open Collaboration (2011)

    Google Scholar 

  35. Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: IMC 2010: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (2010)

    Google Scholar 

  36. Yan, G., Brown, N., Kong, D.: Exploring discriminatory features for automated malware classification. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 41–61. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  37. Yen, T.-F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., Kirda, E.: Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In: ACSAC 2013: Proceedings of the 29th Annual Computer Security Applications Conference (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Verisign Labs – Reston, Virginia, USA

    Andrew G. West & Aziz Mohaisen

Authors
  1. Andrew G. West
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aziz Mohaisen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Castle Point on Hudson, Stevens Institute of Technology, 07030, Hoboken, NJ, USA

    Sven Dietrich

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

West, A.G., Mohaisen, A. (2014). Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08509-8_9

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08508-1

  • Online ISBN: 978-3-319-08509-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation