Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

Rahbarinia, Babak; Perdisci, Roberto; Antonakakis, Manos

doi:10.1145/2960409

Cited by 29 publications

(38 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The numbers of malicious queries classified into clus- ters (1), (2), and (3) in Fig. 2 (c) were 1, 375, and 12, respectively.…”

Section: Discussionmentioning

confidence: 99%

“…In cluster (2), queries related to domain reputation frequently occurred before and after the malicious queries, for example, to spamhaus.org, abuseat.org, and barracudacentral.org. Accordingly, we believe that the malicious queries in cluster (2) were caused by misdetection of communications from some security appliances. In cluster (3), queries to BitTorrent tracking sites occurred before and after the malicious queries, for example, to opentrackr.org, asnet.pw, and blackunicorn.…”

Section: Discussionmentioning

confidence: 99%

“…One common way to detect infected machines in a network is by monitoring communications based on blacklists. To improve the detection capability, several studies have attempted to automatically update blacklist entries by using machine learning techniques [2]. However, such detection is problematic because (1) no blacklist is completely reliable, and (2) blacklists do not provide the sufficient evidence to allow administrators to determine the validity and accuracy of the detection results.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Clustering Malicious DNS Queries for Blacklist-Based Detection

Satoh

Nakamura

Nobayashi

et al. 2019

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Some of the most serious threats to network security involve malware. One common way to detect malware-infected machines in a network is by monitoring communications based on blacklists. However, such detection is problematic because (1) no blacklist is completely reliable, and (2) blacklists do not provide the sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. In this paper, we propose a malicious DNS query clustering approach for blacklist-based detection. Unlike conventional classification, our causebased classification can efficiently analyze malware communications, allowing infected machines in the network to be addressed swiftly.

show abstract

“…The numbers of malicious queries classified into clus- ters (1), (2), and (3) in Fig. 2 (c) were 1, 375, and 12, respectively.…”

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Clustering Malicious DNS Queries for Blacklist-Based Detection

Satoh

Nakamura

Nobayashi

et al. 2019

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Rahbarinia et al [22] developed a system called Segugio that finds unknown malicious domains based on their cooccurrence relation with known malicious domains in DNS queries. Segugio is based on the following insights: (1) infected machines in the same malware family tend to communicate with the same malicious domain group and (2) uninfected machines have no reason to communicate with malicious domains.…”

Section: B Related Workmentioning

confidence: 99%

“…Consequently, these results suggest the proposed approach achieves a high level of effectiveness for datasets collected via campus networks. Table IX presents a qualitative comparison of the proposed approach and the ten previously published methods, which are representative examples of blacklist-based detection [13], DPI-based detection [18], reputation-based detection [21], behavior-based detection [22], [23], [24], ML-based detection [27], and DL-based detection [28], [29], [30]. In this comparison, we focus on the following five items: (1) DGA malware detection performance, (2) the ability to detect malware in real time, (3) robustness to encryption, (4) dependence on network scale, and (5) the need for training in advance using datasets or other prior knowledge.…”

Section: Identification Accuracy For Dns Queries Collected Via Cammentioning

confidence: 99%

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Satoh

Fukuda

Hayashi

et al. 2020

IEEE Open J. Commun. Soc.

View full text Add to dashboard Cite

Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this paper, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers.

show abstract

LagProber: Detecting DGA-Based Malware by Using Query Time Lag of Non-existent Domains

Luo

Wang

et al. 2018

Information and Communications Security

View full text Add to dashboard Cite

Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

Cited by 29 publications

References 15 publications

Clustering Malicious DNS Queries for Blacklist-Based Detection

Clustering Malicious DNS Queries for Blacklist-Based Detection

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

LagProber: Detecting DGA-Based Malware by Using Query Time Lag of Non-existent Domains

Contact Info

Product

Resources

About