Cited By
View all- Ruohonen JLeppanen V(2017)Investigating the Agility Bias in DNS Graph Mining2017 IEEE International Conference on Computer and Information Technology (CIT)10.1109/CIT.2017.55(253-260)Online publication date: Aug-2017
Correlating file-based malware graphs against the empirical ground truth of DNS graphs
Authors: 
Jukka Ruohonen, Sanja Šćepanović, Sami Hyrynsalmi, Igor Mishkovski, Tuomas Aura, Ville LeppänenAuthors Info & Claims
Jukka Ruohonen, Sanja Šćepanović, Sami Hyrynsalmi, Igor Mishkovski, Tuomas Aura, Ville LeppänenAuthors Info & ClaimsArticle No.: 30, Pages 1 - 6
Abstract
This exploratory empirical paper investigates whether the sharing of unique malware files between domains is empirically associated with the sharing of Internet Protocol (IP) addresses and the sharing of normal, non-malware files. By utilizing a graph theoretical approach with a web crawling dataset from F-Secure, the paper finds no robust statistical associations, however. Unlike what might be expected from the still continuing popularity of shared hosting services, the sharing of IP addresses through the domain name system (DNS) seems to neither increase nor decrease the sharing of malware files. In addition to these exploratory empirical results, the paper contributes to the field of DNS mining by elaborating graph theoretical representations that are applicable for analyzing different network forensics problems.
References
[1]
M. Akiyama, T. Yagi, K. Aoki, T. Hariu, and Y. Kadobayashi. Active Credential Leakage for Observing Web-Based Attack Cycle. In S. J. Stolfo, A. Stavrou, and C. V. Wright, editors, Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2013), Lecture Notes in Computer Science (Volume 8145), pages 223--243, Rodney Bay, 2013. Springer.
[2]
M. Alsaleh and P. C. van Oorschot. Evaluation in the Absence of Absolute Ground Truth: Toward Reliable Evaluation Methodology for Scan Detectors. International Journal of Information Security, 12(2):97--110, 2013.
[3]
Clean MX. Realtime Database. Data feed available online in April 2016: http://support.clean-mx.de/clean-mx/viruses, 2016.
[4]
G. Csárdi and T. Nepusz. The igraph Software Package for Complex Network Research. InterJournal, Complex Systems CX.18. Available online in June 2014: http://www.interjournal.org/manuscript_abstract.php?361100992, 2006.
[5]
M. Dusi, F. Gringoli, and L. Salgarelli. Quantifying the Accuracy of the Ground Truth Associated with Internet Traffic Traces. Computer Networks, 55(5):1158--1167, 2011.
[6]
K. Fiveash. Linux Mint Hit by Malware Infection on Its Website, Forum After Hack Attack: "We Don't Know Motivation Behind This", Says Distro Creator. Ars Technica, February 22, 2016, available online in May 2016: http://bit.ly/24moogm, 2016.
[7]
X. Han, N. Kheir, and D. Balzarotti. The Role of Cloud Services in Malicious Software: Trends and Insights. In M. Almgren, V. Gulisano, and F. Maggi, editors, Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015), Lecture Notes in Computer Science (Volume 9148), pages 187--204, Milan, 2015. Springer.
[8]
J. Kinable and O. Kostakis. Malware Classification Based on Call Graph Clustering. Journal of Computer Virology, 7(4):233--245, 2011.
[9]
S. A. Mirheidari, S. Arshad, S. Khoshkdahan, and R. Jalili. A Comprehensive Approach to Abusing Locality in Shared Web Hosting Servers. In Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2013), pages 1620--1625, Melbourne, 2013. IEEE.
[10]
M. E. J. Newman. Networks: An Introduction. Oxford University Press, Oxford, 2010.
[11]
E. Nissan. An Overview of Data Mining for Combating Crime. Applied Artificial Intelligence, 26(8):760--786, 2012.
[12]
B. Rahbarinia, R. Perdisci, and M. Antonakakis. Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks. ACM Transactions on Privacy and Security, 19(2):4:1--4:31.
[13]
Rotarua Limited (d.b.a. VirusTotal). VirusTotal. Available online in April 2016: https://virustotal.com/, 2016.
[14]
J. Ruohonen, S. Šćepanović, S. Hyrynsalmi, I. Mishkovski, T. Aura, and V. Leppänen. A Post-Mortem Empirical Investigation of the Popularity and Distribution of Malware Files in the Contemporary Web-Facing Internet. In Proceedings of the European Intelligence and Security Informatics Conference (EISIC 2016), Uppsala, 2016. IEEE.
[15]
J. Ruohonen, S. Šćcepanović, S. Hyrynsalmi, I. Mishkovski, T. Aura, and V. Leppänen. The Black Mark Beside My Name Server: Exploring the Importance of Name Server IP Addresses in Malware DNS Graphs. In Proceedings of the Third International Symposium on Social Networks Analysis, Management and Security (SNAMS 2016), Vienna, 2016. IEEE.
[16]
T. A. B. Snijders, G. G. van de Bunt, and C. E. G. Steglich. Introduction to Stochastic Actor-Based Models for Network Dynamics. Social Networks, 32(1):44--60, 2010.
[17]
M. Stevanovic, J. M. Pedersen, A. D'Alconzo, S. Ruehrup, and A. Berger. On the Ground Truth Problem of Malicious DNS Traffic Analysis. Computers & Security, 55:142--158, 2015.
[18]
S. Tzur-David, K. Lashchiver, D. Dolev, and T. Anker. Delay Fast Packets (DFP): Prevention of DNS Cache Poisoning. In M. Rajarajan, F. Piper, H. Wang, and G. Kesidis, editors, Proceedings of the 7th International ICST Conference (SecureComm 2011), Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (Volume 96), London, 2012. Springer.
[19]
J. Yang and J. Leskovec. Structure and Overlaps of Ground-Truth Communities in Networks. ACM Transactions on Intelligent Systems and Technology, 5(2):26:1--26:35, 2014.
Index Terms
- Correlating file-based malware graphs against the empirical ground truth of DNS graphs
Recommendations
Detecting malware based on DNS graph mining
Special issue on Big Data in Future SensingMalware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of ...
On the ground truth problem of malicious DNS traffic analysis
DNS is often abused by Internet criminals in order to provide flexible and resilient hosting of malicious content and reliable communication within their network architecture. The majority of detection methods targeting malicious DNS traffic are data-...
Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels
AISec '15: Proceedings of the 8th ACM Workshop on Artificial Intelligence and SecurityWe examine the problem of aggregating the results of multiple anti-virus (AV) vendors' detectors into a single authoritative ground-truth label for every binary. To do so, we adapt a well-known generative Bayesian model that postulates the existence of ...
Comments
Information & Contributors
Information
Published In
November 2016
234 pages
Copyright © 2016 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 28 November 2016
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
ECSAW '16
ECSAW '16: European Conference on Software Architecture Workshops
November 28 - December 2, 2016
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 80 of 120 submissions, 67%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 88Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Reflects downloads up to 02 Feb 2025
Other Metrics
Citations
Cited By
View all- Ruohonen JLeppanen V(2017)Investigating the Agility Bias in DNS Graph Mining2017 IEEE International Conference on Computer and Information Technology (CIT)10.1109/CIT.2017.55(253-260)Online publication date: Aug-2017
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in