ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates
作者: Roberto Perdisci , Mustaque Ahamad , Terry Nelms
DOI:
关键词:
摘要: In this paper, we present ExecScent, a novel system that aims to mine new, previously unknown C&C domain names from live enterprise network traffic. ExecScent automatically learns control protocol templates (CPTs) examples of known communications. These CPTs are then adapted the "background traffic" where be deployed. The goal is generate hybrid can self-tune each specific deployment scenario, thus yielding better trade-off between true and false positives for given environment. To best our knowledge, first use type adaptive traffic models. We implemented prototype version deployed it in three different large networks period two weeks. During deployment, discovered many domains hundreds new infected machines, compared using up-to-date commercial blacklist. Furthermore, mined by six ISP networks, discovering more than 25,000 machines.
damballa.com参考文章(25)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
M. Zubair Rafique, Juan Caballero, FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors recent advances in intrusion detection. pp. 144- 163 ,(2013) , 10.1007/978-3-642-41284-4_8
Christopher Kruegel, Ralf Hund, Thorsten Holz, Gregoire Jacob, JACKSTRAWS: picking command and control connections from bot traffic usenix security symposium. pp. 29- 29 ,(2011)
Roberto Perdisci, David Dagon, Yacin Nadji, Manos Antonakakis, Nikolaos Vasiloglou, Wenke Lee, Saeed Abu-Nimeh, From throw-away traffic to bots: detecting the rise of DGA-based malware usenix security symposium. pp. 24- 24 ,(2012)
Nello Cristianini, John Shawe-Taylor, An Introduction to Support Vector Machines and Other Kernel-based Learning Methods ,(2000)
Guofei Gu, Wenke Lee, Junjie Zhang, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic network and distributed system security symposium. ,(2008)
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)
John C. Platt, Probabilistic Outputs for Support vector Machines and Comparisons to Regularized Likelihood Methods Advances in Large Margin Classifiers. ,(1999)
Vern Paxson, Chris Grier, Juan Caballero, Christian Kreibich, Measuring pay-per-install: the commoditization of malware distribution usenix security symposium. pp. 13- 13 ,(2011)