A fast and scalable method for threat detection in large-scale DNS logs
作者: Ron Begleiter , Yuval Elovici , Yona Hollander , Ori Mendelson , Lior Rokach
DOI: 10.1109/BIGDATA.2013.6691646
关键词:
摘要: This paper presents a fast and scalable method for detecting threats in large-scale DNS logs. In such logs, queries about “abnormal” domain strings are often correlated with malicious behavior. With our method, language model algorithm learns “normal” domain-names from large dataset to rate the extent of domain-name “abnormality” within big data stream organization. Variable-order Markov Models (VMMs) serve as out underlying algorithmic tool since their running time is linear input sequence while memory requirements constantly bounded above, both very appealing characteristics. Our experimental study indicates that proposed can detect names generated by genuine Domain Generation Algorithm, used Advanced Persistent Threat attack scenarios, less than 5% false-negative 1% false-positive rates. detection similar more computationally intensive methods not environments.
sci-hub.se 参考文章(11)
Mordechai Nisenson, Ido Yariv, Ran El-Yaniv, Ron Meir, Towards Behaviometric Security Systems: Learning to Identify a Typist european conference on principles of data mining and knowledge discovery. pp. 363- 374 ,(2003) , 10.1007/978-3-540-39804-2_33
Kent Griffin, Scott Schneider, Xin Hu, Tzi-cker Chiueh, Automatic Generation of String Signatures for Malware Detection recent advances in intrusion detection. pp. 101- 120 ,(2009) , 10.1007/978-3-642-04342-0_6
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi, EXPOSURE : Finding malicious domains using passive DNS analysis network and distributed system security symposium. ,(2011)
Justin Ma, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Learning to detect malicious URLs ACM Transactions on Intelligent Systems and Technology. ,vol. 2, pp. 1- 24 ,(2011) , 10.1145/1961189.1961202
Daniel Fava, Jared Holsopple, Shanchieh Jay Yang, Brian Argauer, Terrain and behavior modeling for projecting multistage cyber attacks international conference on information fusion. pp. 1- 7 ,(2007) , 10.1109/ICIF.2007.4408131
Richard Kemmerer, Christopher Kruegel, Giovanni Vigna, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Your botnet is my botnet: analysis of a botnet takeover computer and communications security. pp. 635- 647 ,(2009) , 10.1145/1653662.1653738
R. Begleiter, R. El-Yaniv, G. Yona, On prediction using variable order Markov models Journal of Artificial Intelligence Research. ,vol. 22, pp. 385- 421 ,(2004) , 10.1613/JAIR.1491
Blaž Zupan, Thomas R. Lynam, Andrej Bratko, Gordon V. Cormack, Bogdan Filipič, Spam Filtering Using Statistical Data Compression Models Journal of Machine Learning Research. ,vol. 7, pp. 2673- 2698 ,(2006) , 10.5555/1248547.1248644
P. V. Mockapetris, Domain names - implementation and specification Domain names - implementation and specification. ,vol. 1035, pp. 1- 55 ,(1987)
Sandeep Yadav, Ashwath Kumar Krishna Reddy, A.L. Narasimha Reddy, Supranamaya Ranjan, Detecting algorithmically generated malicious domain names internet measurement conference. pp. 48- 61 ,(2010) , 10.1145/1879141.1879148