Skip to main content
SpringerLink
Log in

A Spatio-Temporal malware and country clustering algorithm: 2012 IIJ MITF case study

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

A huge number of botnet malware variants can be downloaded by zombie personal computers as secondary injections and upgrades according to their botmasters to perform different distributed/coordinated cyber attacks such as phishing, spam e-mail, malicious Web sites, ransomware, DDoS. In order to generate a faster response to new threats and better understanding of botnet activities, grouping them based on their malicious behaviors has become extremely important. This paper presents a Spatio-Temporal malware clustering algorithm based on its (weekly-hourly-country) features. The dataset contains more than 32 million of malware download logs from 100 honeypots set up by Malware Investigation Task Force (MITF) of Internet Initiative Japan Inc. (IIJ) from 2011 to 2012. The Top-20 malware clustering results coincidentally correspond to Conficker.B and Conficker.C with relatively high precision and recall rates up to 100.0, 88.9 % and 91.7, 100.0 %, respectively. On the other hand, the resulting two clusters of Top-20 countries are comparable to those with high and low growth rates recently reported in 2015 by Asghari et al. Therefore, our approach can be validated and evaluated to yield precision and recall of up to 75.0 and 86.7 %, respectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Symantec, Internet Security Threat Report, vol. 20, p. 119 (2015)

  2. Singh, N., Khurmi, S.S.: Malware analysis, clustering and classification: a literature review. Int. J. Comput. Sci. Technol. 6(1), 68–72 (2015)

    Google Scholar 

  3. Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(2), 56–64 (2014). doi:10.4236/jis.2014.52006

    Google Scholar 

  4. McAfee, A Look at One Day of Malware Samples, http://blogs.mcafee.com/mcafee-labs/a-look-at-one-day-of-malware-samples. Accessed Feb 2014 (2011)

  5. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: NSDI’10 Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 14 (2010)

  6. Pouget, F., Dacier, M., Zimmerman, J., Clark, A., Mohay, G.: Internet attack knowledge discovery via clusters and cliques of attack traces. J. Inf. Assur. Secur. 1, 21–32 (2006)

    Google Scholar 

  7. Wicherski, G.: pehash: A novel approach to fast malware clustering. In: LEET’09 Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p. 8 (2009)

  8. Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: The 5th LCN Workshop on Security in Communications Networks (SICK 2009), pp. 891–898 (2009)

  9. Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), p. 18 (2009)

  10. Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. Comput. Commun. 34(3), 502–514 (2011). doi:10.1016/j.comcom.2010.04.007

    Article  Google Scholar 

  11. Choi, H., Lee, H.: Identifying botnets by capturing group activities in dns traffic. Comput. Netw. 56(1), 20–33 (2012). doi:10.1016/j.comnet.2011.07.018

    Article  Google Scholar 

  12. Chandramohan, M., Tan, H.B.K., Shar, L.K.: Scalable malware clustering through coarse-grained behavior modeling. In: FSE’12 Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, p. 4 (2012)

  13. Rafique, M.Z., Caballero, J.: Firma: malware clustering and network signature generation with mixed network behaviors. In: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2013), pp. 144–163 (2013)

  14. Barthakur, P., Dahal, M., Ghose, M.K.: Clusibothealer: botnet detection through similarity analysis of clusters. J. Adv. Comput. Netw. 3(1), 49–55 (2015). doi:10.7763/JACN.2015.V3.141

    Article  Google Scholar 

  15. Bailey, M., Oberheide, J., Andersen, J., Mao, Z. M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Proceedings of RAID (2007)

  16. Perdisci, R., Vamo, M.U.: Towards a fully automated malware clustering validity analysis. In: Annual Computer Security Applications Conference, pp. 329–338 (2012)

  17. Yukonhiatou, C., Kittitornkun, S., Kikuchi, H., Sisaat, K., Terada, M., Ishii, H.: Clustering top 10 malware/bots based on temporal behavior. In: International Conference on Information Technology and Electrical Engineering, pp. 62–67 (2013)

  18. Hu, X., Bhatkar, S., Griffin, K., Shin, K. G.: Mutantx-s: Scalable malware clustering based on static features. In: 2013 USENIX Annual Technical Conference (USENIX ATC’13), pp. 187–198 (2013)

  19. Biggio, B., Rieck, K., Ariu, D., Wressnegger, C., Corona, I., Giacinto, G., Roli, F.: Poisoning behavioral malware clustering. In: AISec’14 Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, pp. 27–36 (2014). doi:10.1145/2666652.2666666

  20. Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using dns traffic. In: WWW’14 Companion Proceedings of the 23rd International Conference on World Wide Web, pp. 707–712 (2014). doi:10.1145/2567948.2579359

  21. Narra, U., Troia, F.D., Corrado, V.A., Austin, T.H., Stamp, M.: Clustering versus svm for malware detection. J. Comput. Virol. Hacking Tech. (2015). doi:10.1007/s11416-015-0253-z

  22. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, p. 12 (2006)

  23. Trend Micro, Taxonomy of Botnet Threats, A Trend Micro White Paper (p. 15 pages, November 2006)

  24. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127 (2010). doi:10.1109/TDSC.2008.35

    Article  Google Scholar 

  25. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: Sok: P2pwned—modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE Symposium on Security and Privacy, pp. 97–111 (2013)

  26. Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, p. 8 (2007)

  27. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)

  28. Internet Initiative Japan Inc., Malware Investigation Task Force, https://sect.iij.ad.jp/en/mitf.html. Accessed Jan 2014

  29. IIJ, Internet Infrastructure Review, vol. 5 (2011)

  30. MWS, Anti malware engineering workshop 2012 (MWS-2012), http://www.iwsec.org/mws/2012/about.html. Accessed Apr 2014 (2012)

  31. Pouget, F., Dacier, M.: Honeypot-based forensics. In: Proceeding of AusCERT Asia Pacific Information Technology Security Conference 2004 (AusCERT2004) (2004)

  32. Hatada, M., Nakatsuru, Y., Akiyama, M., Miwa, S.: Datasets for anti-malware research—mws 2010 datasets, IPSJ Malware Workshop (MWS 2010) (1–5) (2010)

  33. Hatada, M., Nakatsuru, Y., Akiyama, M.: Datasets for anti-malware research—mws 2011 datasets, IPSJ Malware Workshop (MWS 2011) (1–5) (2011)

  34. Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Network and Distributed System Security Symposium NDSS, p. 15 (2006)

  35. Sisaat, K., Kikuchi, H., Matsuo, S., Terada, M., Fujiwara, M., Kittitornkun, S.: Time zone correlation analysis of malware/bot downloads. In: IEICE Transactions on Communications E96-B, No. 07, 1753–1763 (2013). doi:10.1587/transcom.E96.B.1753

  36. Mezzour, G., Carley, L.R., Carley, K.M.: Global mapping of cyber attacks, cmu-isr-14-111, p. 32 (2014)

  37. Asghari, H., Ciere, M., van Eeten, M.J.: Post-mortem of a zombie: Conficker cleanup after six years. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 1–16 (2015)

  38. MaxMind, GeoIP Databases. http://www.maxmind.com/en/city?pkit_lang=en. Accessed Jan 2014

  39. VirusTotal, http://www.virustotal.com/. Accessed Mar 2014

  40. Bach Seat, Conficker Worm - Still Alive, http://rbach.net/blog/index.php/conficker-worm-still-alive/. Accessed Oct 2015 (2014)

  41. F-Secure, Threat Report H1 2014, https://www.f-secure.com/documents/996508/1030743/Threat_Report_H1_2014.pdf. Accessed Oct 2015 (2014)

  42. Shin, S., Gu, G., Reddy, N., Lee, C.P.: A large-scale empirical study of conficker. IEEE Trans. Inf. Forensics Secur. 7(2), 676–690 (2012). doi:10.1109/TIFS.2011.2173486

    Article  Google Scholar 

  43. Moura, G.C.M., Lone, Q., Asghari, H., van Eeten, M.J.: Evaluating the impact of abusehub on botnet mitigation interim deliverable 1.0. Master’s thesis, Delft University of Technology (2015)

  44. M3AAWG, Anti-Phishing Best Practices for ISPs and Mailbox Providers, Version 2.01 (2015)

  45. TRIPWIRE, SOHO Wireless Router (IN)security (2014)

Download references

Acknowledgments

This research is supported by JICA (Japan International Cooperation Agency) AUN/SEED-Net (ASEAN University Network/Southeast Asia Engineering Education Development-Network) under Collaborative Research (CR) Grant 2012-2013.

Author information

Authors and Affiliations

  1. Faculty of Engineering, King Mongkut’s Institute of Technology Ladkrabang, 1 Soi Chalongkrung 1, Chalongkrung Road, Ladkrabang, Bangkok, 10520, Thailand

    Khamphao Sisaat & Surin Kittitornkun

  2. Department of Frontier Media Science, School of Interdisciplinary Mathematical Sciences, Meiji University, Tokyo, 164-8525, Japan

    Hiroaki Kikuchi

  3. Faculty of Engineering, National University of Laos, Lao-Thai Friendship Road, Sisattanak District, Vientiane, Lao People’s Democratic Republic

    Chaxiong Yukonhiatou

  4. Hitachi, Ltd. Hitachi Incident Response Team (HIRT), 890 Kashimada, Kanasaki, Kanagawa, 212-8567, Japan

    Masato Terada

  5. Department of Communication and Network Engineering, School of Information and Telecommunication Engineering, Tokai University, 2-3-23 Takanawa, Minato, Tokyo, 108-8619, Japan

    Hiroshi Ishii

Authors
  1. Khamphao Sisaat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Surin Kittitornkun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hiroaki Kikuchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chaxiong Yukonhiatou
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Masato Terada
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hiroshi Ishii
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Khamphao Sisaat.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sisaat, K., Kittitornkun, S., Kikuchi, H. et al. A Spatio-Temporal malware and country clustering algorithm: 2012 IIJ MITF case study. Int. J. Inf. Secur. 16, 459–473 (2017). https://doi.org/10.1007/s10207-016-0342-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0342-0

Keywords

Search

Navigation