Discovering Malicious Domains through Passive DNS Data Graph Analysis

作者: Issa Khalil , Ting Yu , Bei Guan

DOI: 10.1145/2897845.2897877

关键词:

摘要: Malicious domains are key components to a variety of cyber attacks. Several recent techniques proposed identify malicious through analysis DNS data. The general approach is build classifiers based on DNS-related local domain features. One potential problem that many features, e.g., name patterns and temporal patterns, tend be not robust. Attackers could easily alter these features evade detection without affecting much their attack capabilities. In this paper, we take complementary approach. Instead focusing propose discover analyze global associations among domains. challenges (1) meaningful domains; (2) use reason about the maliciousness For first challenge, advantage modus operandi attackers. To avoid detection, exhibit dynamic behavior by, for example, frequently changing domain-IP resolutions creating new This makes it very likely attackers reuse resources. It indeed commonly observed over period time multiple hosted same IPs host domains, which creates intrinsic association them. second develop graph-based inference technique associated Our intuition having strong with known malicious. Carefully established enable discovery large set using small previously ones. experiments public passive database show can achieve high true positive rates (over 95%) while maintaining low false (less than 0.5%). Further, even (a couple hundreds), our (in scale up tens thousands).

参考文章(13)
Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, Stefano Zanero, Phoenix: DGA-Based Botnet Tracking and Intelligence ∗ international conference on detection of intrusions and malware, and vulnerability assessment. pp. 192- 211 ,(2014) , 10.1007/978-3-319-08509-8_11
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
Babak Rahbarinia, Roberto Perdisci, Manos Antonakakis, Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. pp. 403- 414 ,(2015) , 10.1109/DSN.2015.35
John C. Mitchell, Elizabeth Stinson, Towards systematic evaluation of the evadability of bot/botnet detection methods usenix security symposium. pp. 5- ,(2008)
Roberto Perdisci, David Dagon, Yacin Nadji, Manos Antonakakis, Nikolaos Vasiloglou, Wenke Lee, Saeed Abu-Nimeh, From throw-away traffic to bots: detecting the rise of DGA-based malware usenix security symposium. pp. 24- 24 ,(2012)
Marco Cova, Corrado Leita, Olivier Thonnard, Angelos D. Keromytis, Marc Dacier, An analysis of rogue AV campaigns recent advances in intrusion detection. pp. 442- 463 ,(2010) , 10.1007/978-3-642-15512-3_23
Jialong Zhang, Sabyasachi Saha, Guofei Gu, Sung-Ju Lee, Marco Mellia, Systematic Mining of Associated Server Herds for Malware Campaign Discovery international conference on distributed computing systems. pp. 630- 641 ,(2015) , 10.1109/ICDCS.2015.70
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi, EXPOSURE : Finding malicious domains using passive DNS analysis network and distributed system security symposium. ,(2011)
Pratyusa Manadhata, Sandeep Yadav, Prasad Rao, William Horne, None, Detecting Malicious Domains via Graph Inference european symposium on research in computer security. pp. 59- 60 ,(2014) , 10.1145/2666652.2666659
Kwyjibo: automatic domain name generation Software - Practice and Experience. ,vol. 38, pp. 1561- 1567 ,(2008) , 10.1002/SPE.V38:14