Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks
作者: Babak Rahbarinia , Roberto Perdisci , Manos Antonakakis
DOI: 10.1109/DSN.2015.35
关键词: Reputation system 、 Domain (software engineering) 、 False positive paradox 、 Malware 、 Server 、 Computer network 、 Graph theory 、 Blacklist 、 Computer science 、 Graph (abstract data type)
摘要: In this paper, we propose Segugio, a novel defense system that allows for efficiently tracking the occurrence of new malware-control domain names in very large ISP networks. Segugio passively monitors DNS traffic to build machine-domain bipartite graph representing who is querying what. After labelling nodes query behavior are known be either benign or malware-related, approach accurately detect previously unknown domains. We implemented proof-of-concept version and deployed it networks serve millions users. Our experimental results show can track domains with up 94% true positives (TPs) at less than 0.1% false (FPs). addition, provide following results: (1) also control related new, unseen malware families, 85% TPs FPs, (2) Segugio's detection models learned on from given network into different still achieve high accuracy, (3) detected days even weeks before they appear commercial name blacklist, (4) clearly outperforms Notos, proposed reputation system.
computer.org
sci-hub.se 参考文章(26)
Danny Bickson, Aapo Kyrola, Carlos Guestrin, Joseph Hellerstein, Yucheng Low, Joseph E. Gonzalez, GraphLab: A New Parallel Framework for Machine Learning ,(2010)
Roberto Perdisci, Mustaque Ahamad, Terry Nelms, ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates usenix security symposium. pp. 589- 604 ,(2013)
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
Mark Felegyhazi, Vern Paxson, Christian Kreibich, On the potential of proactive domain blacklisting usenix conference on large scale exploits and emergent threats. pp. 6- 6 ,(2010)
Vinod Yegneswaran, Guofei Gu, Wenke Lee, Martin Fong, Phillip Porras, BotHunter: detecting malware infection through IDS-driven dialog correlation usenix security symposium. pp. 12- ,(2007)
M. Zubair Rafique, Juan Caballero, FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors recent advances in intrusion detection. pp. 144- 163 ,(2013) , 10.1007/978-3-642-41284-4_8
Nir Friedman, Daniel L. Koller, Probabilistic graphical models : principles and techniques The MIT Press. ,(2009)
Christopher Kruegel, Ralf Hund, Thorsten Holz, Gregoire Jacob, JACKSTRAWS: picking command and control connections from bot traffic usenix security symposium. pp. 29- 29 ,(2011)
Roberto Perdisci, David Dagon, Yacin Nadji, Manos Antonakakis, Nikolaos Vasiloglou, Wenke Lee, Saeed Abu-Nimeh, From throw-away traffic to bots: detecting the rise of DGA-based malware usenix security symposium. pp. 24- 24 ,(2012)
Guofei Gu, Wenke Lee, Junjie Zhang, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic network and distributed system security symposium. ,(2008)