Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

Rahbarinia, Babak; Perdisci, Roberto; Antonakakis, Manos

doi:10.1109/dsn.2015.35

Cited by 88 publications

(55 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SpiderWeb [36] is also a system that is able to detect malicious web pages by crowd-sourcing redirection chains. Segugio [32] tracks new malwarecontrol domain names in very large ISP networks. WebWitness [27] automatically traces back malware download paths to understand attack trends.…”

Section: Related Workmentioning

confidence: 99%

Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions

Arshad¹,

Kharraz²,

Robertson³

2017

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Modern websites include various types of third-party content such as JavaScript, images, stylesheets, and Flash objects in order to create interactive user interfaces. In addition to explicit inclusion of third-party content by website publishers, ISPs and browser extensions are hijacking web browsing sessions with increasing frequency to inject third-party content (e.g., ads). However, third-party content can also introduce security risks to users of these websites, unbeknownst to both website operators and users. Because of the often highly dynamic nature of these inclusions as well as the use of advanced cloaking techniques in contemporary malware, it is exceedingly difficult to preemptively recognize and block inclusions of malicious third-party content before it has the chance to attack the user's system. In this paper, we propose a novel approach to achieving the goal of preemptive blocking of malicious third-party content inclusion through an analysis of inclusion sequences on the Web. We implemented our approach, called Excision, as a set of modifications to the Chromium browser that protects users from malicious inclusions while web pages load. Our analysis suggests that by adopting our in-browser approach, users can avoid a significant portion of malicious third-party content on the Web. Our evaluation shows that Excision effectively identifies malicious content while introducing a low false positive rate. Our experiments also demonstrate that our approach does not negatively impact a user's browsing experience when browsing popular websites drawn from the Alexa Top 500.

show abstract

Section: Related Workmentioning

confidence: 99%

Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions

Arshad¹,

Kharraz²,

Robertson³

2017

Financial Cryptography and Data Security

View full text Add to dashboard Cite

show abstract

“…More recently, authors in [18] build bipartite graphs from passive DNS traffic collected from large ISP networks, with the goal of representing the who is querying what relationship. They run a graph-based behavioral classifier that suggests for domains used in C&C operations.…”

Section: Related Workmentioning

confidence: 99%

Real-Time Detection of Malware Downloads via Large-Scale URL->File->Machine Graph Mining

Rahbarinia

Balduzzi²,

Perdisci

2016

Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

In this paper we propose Mastino, a novel defense system to detect malware download events. A download event is a 3-tuple that identifies the action of downloading a file from a URL that was triggered by a client (machine). Mastino utilizes global situation awareness and continuously monitors various network-and system-level events of the clients' machines across the Internet and provides real time classification of both files and URLs to the clients upon submission of a new, unknown file or URL to the system. To enable detection of the download events, Mastino builds a large download graph that captures the subtle relationships among the entities of download events, i.e. files, URLs, and machines. We implemented a prototype version of Mastino and evaluated it in a large-scale real-world deployment. Our experimental evaluation shows that Mastino can accurately classify malware download events with an average of 95.5% true positive (TP), while incurring less than 0.5% false positives (FP). In addition, we show the Mastino can classify a new download event as either benign or malware in just a fraction of a second, and is therefore suitable as a real time defense system.

show abstract

“…1-20) had more contributions and higher GI scores than both rIP features (Nos. [21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38] 4.1 did not contain such easy-toanswer domain names. As a result, the importance of these TVP features using Alexa1k and Alexa10k is relatively low.…”

Section: Effectiveness Of Each Featurementioning

confidence: 99%

“…Sato et al [38] used the co-occurrence characteristics of DNS queries to C&C domain names from multiple malware-infected hosts in a network to extend domain name blacklists. Also, Rahbarinia et al [37] proposed Segugio to detect new C&C domain names from DNS query behaviors in large ISP networks. This system requires malware-infected hosts in a network; however, our approach works without malware-infected hosts.…”

Section: User-centric Approachmentioning

confidence: 99%

DomainProfiler: toward accurate and early discovery of domain names abused in future

Chiba

Yagi

Akiyama

et al. 2017

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Domain names are at the base of today's cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems; they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

show abstract

Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

Cited by 88 publications

References 9 publications

Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions

Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions

Real-Time Detection of Malware Downloads via Large-Scale URL->File->Machine Graph Mining

DomainProfiler: toward accurate and early discovery of domain names abused in future

Contact Info

Product

Resources

About