ABSTRACT
Modern malware interacts with multiple internet domains for various reasons: communication with command and control (C&C) servers, boosting click counts on online ads or performing denial of service attacks, among others. The identification of malign domains is thus necessary to prevent (and react to) incidents. Since malware creators constantly generate new domains to avoid detection, maintaining up-to-date lists of malign domains is challenging. We propose an approach that automatically estimates the risk associated with communicating with a domain based on the data flow behavior of a process communicating with it. Our approach uses unsupervised learning on data flow profiles that capture communication of processes with network endpoints at system call level to distinguish between likely malign or benign behavior. Our evaluations on a large and diverse data set indicate a high detection accuracy and a reasonable performance overhead. We further discuss how this concept can be used in an operational setting for fine-grained enforcement of risk-based incident response actions.
- Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In: ACSAC (2012) Google ScholarDigital Library
- Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive dns analysis. In: NDSS (2011)Google Scholar
- Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Botnet Detection (2008)Google Scholar
- Caballero, J., Venkataraman, S., Poosankam, P., Kang, M. G., Song, D., Blum, A.: Fig: Automatic fingerprint generation. CMU TechReport (2007)Google Scholar
- Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. CSUR (2012) Google ScholarDigital Library
- Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Sec (2008) Google ScholarDigital Library
- Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic. In: NDSS (2008)Google Scholar
- Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: USENIX Sec (2011) Google ScholarDigital Library
- Kheir, N., Blanc, G., Debar, H., Garcia-Alfaro, J., Yang, D.: Automated classification of c&c connections through malware url clustering. In: SEC (2015)Google Scholar
- Kührer, M., Rossow, C., Holz, T.: Paint it black: Evaluating the effectiveness of malware blacklists. In: RAID (2014)Google Scholar
- Nappa, A., Xu, Z., Rafique, M. Z., Caballero, J., Gu, G.: Cyberprobe: Towards internet-scale active detection of malicious servers. In: NDSS (2014)Google Scholar
- Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Pbl. Ltd (2013) Google ScholarDigital Library
- Rafique, M. Z., Caballero, J.: Firma: Malware clustering and network signature generation with mixed network behaviors. In: RAID (2013) Google ScholarDigital Library
- Sculley, D.: Web-scale k-means clustering. In: WWW (2010) Google ScholarDigital Library
- Wressnegger, C., Schwenk, G., Arp, D., Rieck, K.: A close look on n-grams in intrusion detection: anomaly detection vs. classification. In: AISec (2013) Google ScholarDigital Library
- Wüchner, T., Ochoa, M., Pretschner, A.: Malware detection with quantitative data flow graphs. In: ASIACCS (2014)Google Scholar
- Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: DIMVA (2015)Google Scholar
- Wüchner, T., Pretschner, A.: Data loss prevention based on data-driven usage control. In: ISSRE (2012)Google Scholar
- Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: ESORICS (2009) Google ScholarDigital Library
- Xu, Z., Nappa, A., Baykov, R., Yang, G., Caballero, J., Gu, G.: Autoprobe: Towards automatic active malicious server probing using dynamic binary analysis. In: CCS (2014) Google ScholarDigital Library
- Yadav, S., Reddy, A. K. K., Reddy, A., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: IMC (2010) Google ScholarDigital Library
- You, I., Yim, K.: Malware obfuscation techniques: A brief survey. In: BWCAA (2010) Google ScholarDigital Library
Index Terms
- MalFlow: identification of C&C servers through host-based data flow profiling
Recommendations
Formulistic Detection of Malicious Fast-Flux Domains
PAAP '12: Proceedings of the 2012 Fifth International Symposium on Parallel Architectures, Algorithms and ProgrammingBonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and ...
Ransomware detection method based on context-aware entropy analysis
Numerous countermeasures have been proposed since the first appearance of ransomware. However, many ransomware mutants continue to be created, and the damage they cause has been continually increasing. Existing antivirus tools are signature-dependent ...
Vigilante: end-to-end containment of internet worms
SOSP '05Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work has proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the ...
Comments