Abstract
A huge number of botnet malware variants can be downloaded by zombie personal computers as secondary injections and upgrades according to their botmasters to perform different distributed/coordinated cyber attacks such as phishing, spam e-mail, malicious Web sites, ransomware, DDoS. In order to generate a faster response to new threats and better understanding of botnet activities, grouping them based on their malicious behaviors has become extremely important. This paper presents a Spatio-Temporal malware clustering algorithm based on its (weekly-hourly-country) features. The dataset contains more than 32 million of malware download logs from 100 honeypots set up by Malware Investigation Task Force (MITF) of Internet Initiative Japan Inc. (IIJ) from 2011 to 2012. The Top-20 malware clustering results coincidentally correspond to Conficker.B and Conficker.C with relatively high precision and recall rates up to 100.0, 88.9 % and 91.7, 100.0 %, respectively. On the other hand, the resulting two clusters of Top-20 countries are comparable to those with high and low growth rates recently reported in 2015 by Asghari et al. Therefore, our approach can be validated and evaluated to yield precision and recall of up to 75.0 and 86.7 %, respectively.
Similar content being viewed by others
References
Symantec, Internet Security Threat Report, vol. 20, p. 119 (2015)
Singh, N., Khurmi, S.S.: Malware analysis, clustering and classification: a literature review. Int. J. Comput. Sci. Technol. 6(1), 68–72 (2015)
Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(2), 56–64 (2014). doi:10.4236/jis.2014.52006
McAfee, A Look at One Day of Malware Samples, http://blogs.mcafee.com/mcafee-labs/a-look-at-one-day-of-malware-samples. Accessed Feb 2014 (2011)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: NSDI’10 Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 14 (2010)
Pouget, F., Dacier, M., Zimmerman, J., Clark, A., Mohay, G.: Internet attack knowledge discovery via clusters and cliques of attack traces. J. Inf. Assur. Secur. 1, 21–32 (2006)
Wicherski, G.: pehash: A novel approach to fast malware clustering. In: LEET’09 Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p. 8 (2009)
Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: The 5th LCN Workshop on Security in Communications Networks (SICK 2009), pp. 891–898 (2009)
Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), p. 18 (2009)
Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. Comput. Commun. 34(3), 502–514 (2011). doi:10.1016/j.comcom.2010.04.007
Choi, H., Lee, H.: Identifying botnets by capturing group activities in dns traffic. Comput. Netw. 56(1), 20–33 (2012). doi:10.1016/j.comnet.2011.07.018
Chandramohan, M., Tan, H.B.K., Shar, L.K.: Scalable malware clustering through coarse-grained behavior modeling. In: FSE’12 Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, p. 4 (2012)
Rafique, M.Z., Caballero, J.: Firma: malware clustering and network signature generation with mixed network behaviors. In: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2013), pp. 144–163 (2013)
Barthakur, P., Dahal, M., Ghose, M.K.: Clusibothealer: botnet detection through similarity analysis of clusters. J. Adv. Comput. Netw. 3(1), 49–55 (2015). doi:10.7763/JACN.2015.V3.141
Bailey, M., Oberheide, J., Andersen, J., Mao, Z. M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Proceedings of RAID (2007)
Perdisci, R., Vamo, M.U.: Towards a fully automated malware clustering validity analysis. In: Annual Computer Security Applications Conference, pp. 329–338 (2012)
Yukonhiatou, C., Kittitornkun, S., Kikuchi, H., Sisaat, K., Terada, M., Ishii, H.: Clustering top 10 malware/bots based on temporal behavior. In: International Conference on Information Technology and Electrical Engineering, pp. 62–67 (2013)
Hu, X., Bhatkar, S., Griffin, K., Shin, K. G.: Mutantx-s: Scalable malware clustering based on static features. In: 2013 USENIX Annual Technical Conference (USENIX ATC’13), pp. 187–198 (2013)
Biggio, B., Rieck, K., Ariu, D., Wressnegger, C., Corona, I., Giacinto, G., Roli, F.: Poisoning behavioral malware clustering. In: AISec’14 Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, pp. 27–36 (2014). doi:10.1145/2666652.2666666
Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using dns traffic. In: WWW’14 Companion Proceedings of the 23rd International Conference on World Wide Web, pp. 707–712 (2014). doi:10.1145/2567948.2579359
Narra, U., Troia, F.D., Corrado, V.A., Austin, T.H., Stamp, M.: Clustering versus svm for malware detection. J. Comput. Virol. Hacking Tech. (2015). doi:10.1007/s11416-015-0253-z
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, p. 12 (2006)
Trend Micro, Taxonomy of Botnet Threats, A Trend Micro White Paper (p. 15 pages, November 2006)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127 (2010). doi:10.1109/TDSC.2008.35
Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: Sok: P2pwned—modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE Symposium on Security and Privacy, pp. 97–111 (2013)
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, p. 8 (2007)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)
Internet Initiative Japan Inc., Malware Investigation Task Force, https://sect.iij.ad.jp/en/mitf.html. Accessed Jan 2014
IIJ, Internet Infrastructure Review, vol. 5 (2011)
MWS, Anti malware engineering workshop 2012 (MWS-2012), http://www.iwsec.org/mws/2012/about.html. Accessed Apr 2014 (2012)
Pouget, F., Dacier, M.: Honeypot-based forensics. In: Proceeding of AusCERT Asia Pacific Information Technology Security Conference 2004 (AusCERT2004) (2004)
Hatada, M., Nakatsuru, Y., Akiyama, M., Miwa, S.: Datasets for anti-malware research—mws 2010 datasets, IPSJ Malware Workshop (MWS 2010) (1–5) (2010)
Hatada, M., Nakatsuru, Y., Akiyama, M.: Datasets for anti-malware research—mws 2011 datasets, IPSJ Malware Workshop (MWS 2011) (1–5) (2011)
Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Network and Distributed System Security Symposium NDSS, p. 15 (2006)
Sisaat, K., Kikuchi, H., Matsuo, S., Terada, M., Fujiwara, M., Kittitornkun, S.: Time zone correlation analysis of malware/bot downloads. In: IEICE Transactions on Communications E96-B, No. 07, 1753–1763 (2013). doi:10.1587/transcom.E96.B.1753
Mezzour, G., Carley, L.R., Carley, K.M.: Global mapping of cyber attacks, cmu-isr-14-111, p. 32 (2014)
Asghari, H., Ciere, M., van Eeten, M.J.: Post-mortem of a zombie: Conficker cleanup after six years. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 1–16 (2015)
MaxMind, GeoIP Databases. http://www.maxmind.com/en/city?pkit_lang=en. Accessed Jan 2014
VirusTotal, http://www.virustotal.com/. Accessed Mar 2014
Bach Seat, Conficker Worm - Still Alive, http://rbach.net/blog/index.php/conficker-worm-still-alive/. Accessed Oct 2015 (2014)
F-Secure, Threat Report H1 2014, https://www.f-secure.com/documents/996508/1030743/Threat_Report_H1_2014.pdf. Accessed Oct 2015 (2014)
Shin, S., Gu, G., Reddy, N., Lee, C.P.: A large-scale empirical study of conficker. IEEE Trans. Inf. Forensics Secur. 7(2), 676–690 (2012). doi:10.1109/TIFS.2011.2173486
Moura, G.C.M., Lone, Q., Asghari, H., van Eeten, M.J.: Evaluating the impact of abusehub on botnet mitigation interim deliverable 1.0. Master’s thesis, Delft University of Technology (2015)
M3AAWG, Anti-Phishing Best Practices for ISPs and Mailbox Providers, Version 2.01 (2015)
TRIPWIRE, SOHO Wireless Router (IN)security (2014)
Acknowledgments
This research is supported by JICA (Japan International Cooperation Agency) AUN/SEED-Net (ASEAN University Network/Southeast Asia Engineering Education Development-Network) under Collaborative Research (CR) Grant 2012-2013.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sisaat, K., Kittitornkun, S., Kikuchi, H. et al. A Spatio-Temporal malware and country clustering algorithm: 2012 IIJ MITF case study. Int. J. Inf. Secur. 16, 459–473 (2017). https://doi.org/10.1007/s10207-016-0342-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-016-0342-0