Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks
作者: Babak Rahbarinia , Roberto Perdisci , Manos Antonakakis
DOI: 10.1145/2960409
关键词:
摘要: In this article, we propose Segugio, a novel defense system that allows for efficiently tracking the occurrence of new malware-control domain names in very large ISP networks. Segugio passively monitors DNS traffic to build machine-domain bipartite graph representing who is querying what. After labeling nodes query behavior are known be either benign or malware-related, approach accurately detect previously unknown domains.We implemented proof-of-concept version and deployed it networks serve millions users. Our experimental results show can track domains with up 94p true positives (TPs) at less than 0.1p false (FPs). addition, provide following results: (1) also control related new, unseen malware families, 85p TPs FPs; (2) Segugio’s detection models learned on from given network into different still achieve high accuracy; (3) detected days even weeks before they appear commercial domain-name blacklist; (4) used malware-infected machines networks; (5) clearly outperforms domain-reputation systems based Belief Propagation.
acm.org
sci-hub.se 参考文章(32)
Marc Kührer, Christian Rossow, Thorsten Holz, Paint It Black: Evaluating the Effectiveness of Malware Blacklists recent advances in intrusion detection. pp. 1- 21 ,(2014) , 10.1007/978-3-319-11379-1_1
Danny Bickson, Aapo Kyrola, Carlos Guestrin, Joseph Hellerstein, Yucheng Low, Joseph E. Gonzalez, GraphLab: A New Parallel Framework for Machine Learning ,(2010)
Roberto Perdisci, Mustaque Ahamad, Terry Nelms, ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates usenix security symposium. pp. 589- 604 ,(2013)
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
Mark Felegyhazi, Vern Paxson, Christian Kreibich, On the potential of proactive domain blacklisting usenix conference on large scale exploits and emergent threats. pp. 6- 6 ,(2010)
Vinod Yegneswaran, Guofei Gu, Wenke Lee, Martin Fong, Phillip Porras, BotHunter: detecting malware infection through IDS-driven dialog correlation usenix security symposium. pp. 12- ,(2007)
Babak Rahbarinia, Roberto Perdisci, Manos Antonakakis, Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. pp. 403- 414 ,(2015) , 10.1109/DSN.2015.35
M. Zubair Rafique, Juan Caballero, FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors recent advances in intrusion detection. pp. 144- 163 ,(2013) , 10.1007/978-3-642-41284-4_8
Christopher Kruegel, Ralf Hund, Thorsten Holz, Gregoire Jacob, JACKSTRAWS: picking command and control connections from bot traffic usenix security symposium. pp. 29- 29 ,(2011)
Roberto Perdisci, David Dagon, Yacin Nadji, Manos Antonakakis, Nikolaos Vasiloglou, Wenke Lee, Saeed Abu-Nimeh, From throw-away traffic to bots: detecting the rise of DGA-based malware usenix security symposium. pp. 24- 24 ,(2012)