Mining agile DNS traffic using graph analysis for cybercrime detection
作者: Andreas Berger , Alessandro D’Alconzo , Wilfried N. Gansterer , Antonio Pescapé
DOI: 10.1016/J.COMNET.2016.02.009
关键词:
摘要: We consider the analysis of network traffic data for identifying highly agile DNS patterns which are widely considered indicative cybercrime. In contrast to related approaches, our methodology is capable explicitly distinguishing between individual, inherent agility benign Internet services and criminal sites. Although some use a large number addresses, they confined subset IP due operational requirements contractual agreements with certain Content Distribution Networks. discuss DNSMap, system analyzes observed traffic, continuously learns FQDNs hosted on addresses. Any significant changes over time mapped bipartite graphs, then further pruned cybercrime activity. Graph enables detection transitive relations IPs, reveals clusters malicious addresses hosting them. developed prototype designed realtime analysis, requires no costly classifier retraining, excessive whitelisting. evaluate using sets from an ISP several 100,000 customers, demonstrate that even moderately sites can be detected reliably almost immediately.
acm.org
core.ac.uk
sci-hub.se 参考文章(24)
Marc Kührer, Christian Rossow, Thorsten Holz, Paint It Black: Evaluating the Effectiveness of Malware Blacklists recent advances in intrusion detection. pp. 1- 21 ,(2014) , 10.1007/978-3-319-11379-1_1
Felix C. Freiling, Konrad Rieck, Christian Gorecki, Thorsten Holz, Measuring and Detecting Fast-Flux Service Networks network and distributed system security symposium. ,(2008)
Andreas Berger, Eduard Natale, Assessing the real-world dynamics of DNS traffic monitoring and analysis. pp. 1- 14 ,(2012) , 10.1007/978-3-642-28534-9_1
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
Ferenc Kruzslicz, Improved greedy algorithm for computing approximate median strings Acta Cybernetica. ,vol. 14, pp. 331- 339 ,(1999)
V. I. Levenshtein, Binary codes capable of correcting deletions, insertions, and reversals Soviet physics. Doklady. ,vol. 10, pp. 707- 710 ,(1966)
Vern Paxson, Chris Grier, Juan Caballero, Christian Kreibich, Measuring pay-per-install: the commoditization of malware distribution usenix security symposium. pp. 13- 13 ,(2011)
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi, EXPOSURE : Finding malicious domains using passive DNS analysis network and distributed system security symposium. ,(2011)
Rudolf Bayer, Symmetric binary B-Trees: Data structure and maintenance algorithms Acta Informatica. ,vol. 1, pp. 290- 306 ,(1972) , 10.1007/BF00289509
Roberto Perdisci, Igino Corona, Giorgio Giacinto, Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis IEEE Transactions on Dependable and Secure Computing. ,vol. 9, pp. 714- 726 ,(2012) , 10.1109/TDSC.2012.35