skip to main content
10.1145/2851613.2851802acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

MalFlow: identification of C&C servers through host-based data flow profiling

Published: 04 April 2016 Publication History

Abstract

Modern malware interacts with multiple internet domains for various reasons: communication with command and control (C&C) servers, boosting click counts on online ads or performing denial of service attacks, among others. The identification of malign domains is thus necessary to prevent (and react to) incidents. Since malware creators constantly generate new domains to avoid detection, maintaining up-to-date lists of malign domains is challenging. We propose an approach that automatically estimates the risk associated with communicating with a domain based on the data flow behavior of a process communicating with it. Our approach uses unsupervised learning on data flow profiles that capture communication of processes with network endpoints at system call level to distinguish between likely malign or benign behavior. Our evaluations on a large and diverse data set indicate a high detection accuracy and a reasonable performance overhead. We further discuss how this concept can be used in an operational setting for fine-grained enforcement of risk-based incident response actions.

References

[1]
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In: ACSAC (2012)
[2]
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive dns analysis. In: NDSS (2011)
[3]
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Botnet Detection (2008)
[4]
Caballero, J., Venkataraman, S., Poosankam, P., Kang, M. G., Song, D., Blum, A.: Fig: Automatic fingerprint generation. CMU TechReport (2007)
[5]
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. CSUR (2012)
[6]
Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Sec (2008)
[7]
Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic. In: NDSS (2008)
[8]
Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: USENIX Sec (2011)
[9]
Kheir, N., Blanc, G., Debar, H., Garcia-Alfaro, J., Yang, D.: Automated classification of c&c connections through malware url clustering. In: SEC (2015)
[10]
Kührer, M., Rossow, C., Holz, T.: Paint it black: Evaluating the effectiveness of malware blacklists. In: RAID (2014)
[11]
Nappa, A., Xu, Z., Rafique, M. Z., Caballero, J., Gu, G.: Cyberprobe: Towards internet-scale active detection of malicious servers. In: NDSS (2014)
[12]
Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Pbl. Ltd (2013)
[13]
Rafique, M. Z., Caballero, J.: Firma: Malware clustering and network signature generation with mixed network behaviors. In: RAID (2013)
[14]
Sculley, D.: Web-scale k-means clustering. In: WWW (2010)
[15]
Wressnegger, C., Schwenk, G., Arp, D., Rieck, K.: A close look on n-grams in intrusion detection: anomaly detection vs. classification. In: AISec (2013)
[16]
Wüchner, T., Ochoa, M., Pretschner, A.: Malware detection with quantitative data flow graphs. In: ASIACCS (2014)
[17]
Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: DIMVA (2015)
[18]
Wüchner, T., Pretschner, A.: Data loss prevention based on data-driven usage control. In: ISSRE (2012)
[19]
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: ESORICS (2009)
[20]
Xu, Z., Nappa, A., Baykov, R., Yang, G., Caballero, J., Gu, G.: Autoprobe: Towards automatic active malicious server probing using dynamic binary analysis. In: CCS (2014)
[21]
Yadav, S., Reddy, A. K. K., Reddy, A., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: IMC (2010)
[22]
You, I., Yim, K.: Malware obfuscation techniques: A brief survey. In: BWCAA (2010)

Cited By

View all
  • (2019)An Analysis of Botnet ModelsProceedings of the 2019 3rd International Conference on Compute and Data Analysis10.1145/3314545.3314562(116-121)Online publication date: 14-Mar-2019
  • (2016)Detecting Peer-to-Peer Botnets in SCADA Systems2016 IEEE Globecom Workshops (GC Wkshps)10.1109/GLOCOMW.2016.7848877(1-6)Online publication date: Dec-2016

Index Terms

  1. MalFlow: identification of C&C servers through host-based data flow profiling

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied Computing
    April 2016
    2360 pages
    ISBN:9781450337397
    DOI:10.1145/2851613
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 April 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. command and control server
    2. data flow analysis
    3. malware

    Qualifiers

    • Research-article

    Conference

    SAC 2016
    Sponsor:
    SAC 2016: Symposium on Applied Computing
    April 4 - 8, 2016
    Pisa, Italy

    Acceptance Rates

    SAC '16 Paper Acceptance Rate 252 of 1,047 submissions, 24%;
    Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

    Upcoming Conference

    SAC '25
    The 40th ACM/SIGAPP Symposium on Applied Computing
    March 31 - April 4, 2025
    Catania , Italy

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)8
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2019)An Analysis of Botnet ModelsProceedings of the 2019 3rd International Conference on Compute and Data Analysis10.1145/3314545.3314562(116-121)Online publication date: 14-Mar-2019
    • (2016)Detecting Peer-to-Peer Botnets in SCADA Systems2016 IEEE Globecom Workshops (GC Wkshps)10.1109/GLOCOMW.2016.7848877(1-6)Online publication date: Dec-2016

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media