Article

Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

Authors:

Babak Rahbarinia,

Roberto Perdisci,

Manos AntonakakisAuthors Info & Claims

DSN '15: Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

Pages 403 - 414

https://doi.org/10.1109/DSN.2015.35

Published: 22 June 2015 Publication History

Abstract

In this paper, we propose Segugio, a novel defense system that allows for efficiently tracking the occurrence of new malware-control domain names in very large ISP networks. Segugio passively monitors the DNS traffic to build a machine-domain bipartite graph representing who is querying what. After labelling nodes in this query behavior graph that are known to be either benign or malware-related, we propose a novel approach to accurately detect previously unknown malware-control domains. We implemented a proof-of-concept version of Segugio and deployed it in large ISP networks that serve millions of users. Our experimental results show that Segugio can track the occurrence of new malware-control domains with up to 94% true positives (TPs) at less than 0.1% false positives (FPs). In addition, we provide the following results: (1) we show that Segugio can also detect control domains related to new, previously unseen malware families, with 85% TPs at 0.1% FPs, (2) Segugio's detection models learned on traffic from a given ISP network can be deployed into a different ISP network and still achieve very high detection accuracy, (3) new malware-control domains can be detected days or even weeks before they appear in a large commercial domain name blacklist, and (4) we show that Segugio clearly outperforms Notos, a previously proposed domain name reputation system.

Cited By

View all

Kondracki BAzad BStarov ONikiforakis NKim YKim JVigna GShi E(2021)Catching Transparent Phish: Analyzing and Detecting MITM Phishing ToolkitsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484765(36-50)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484765
Jeng TChen YChen CHuang C(2020)MD-MinerPSecurity and Communication Networks10.1155/2020/88415442020Online publication date: 29-Oct-2020
https://dl.acm.org/doi/10.1155/2020/8841544
Bao ZWang WLan Y(2019)Using Passive DNS to Detect Malicious Domain NameProceedings of the 3rd International Conference on Vision, Image and Signal Processing10.1145/3387168.3387236(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3387168.3387236
Show More Cited By

Recommendations

Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

In this article, we propose Segugio, a novel defense system that allows for efficiently tracking the occurrence of new malware-control domain names in very large ISP networks. Segugio passively monitors the DNS traffic to build a machine-domain ...
GMAD: Graph-based Malware Activity Detection by DNS traffic analysis

Malicious activities on the Internet are one of the most dangerous threats to Internet users and organizations. Malicious software controlled remotely is addressed as one of the most critical methods for executing the malicious activities. Since ...
Identifying botnets by capturing group activities in DNS traffic

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, ...

Comments

Information & Contributors

Information

Published In

DSN '15: Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

June 2015

573 pages

ISBN:9781479986293

Publisher

IEEE Computer Society

United States

Publication History

Published: 22 June 2015

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kondracki BAzad BStarov ONikiforakis NKim YKim JVigna GShi E(2021)Catching Transparent Phish: Analyzing and Detecting MITM Phishing ToolkitsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484765(36-50)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484765
Jeng TChen YChen CHuang C(2020)MD-MinerPSecurity and Communication Networks10.1155/2020/88415442020Online publication date: 29-Oct-2020
https://dl.acm.org/doi/10.1155/2020/8841544
Bao ZWang WLan Y(2019)Using Passive DNS to Detect Malicious Domain NameProceedings of the 3rd International Conference on Vision, Image and Signal Processing10.1145/3387168.3387236(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3387168.3387236
Najafi PMühle APünter WCheng FMeinel CBalenson D(2019)MalRankProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359791(417-429)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359791
Xie XNiu WZhang XRen ZLuo YLi J(2019)Co-Clustering Host-Domain Graphs to Discover Malware InfectionProceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing10.1145/3358331.3358380(1-6)Online publication date: 17-Oct-2019
https://dl.acm.org/doi/10.1145/3358331.3358380
Chen XLi GZhang YWu XTian C(2019)A Deep Learning Based Fast-Flux and CDN Domain Names Recognition MethodProceedings of the 2nd International Conference on Information Science and Systems10.1145/3322645.3322679(54-59)Online publication date: 16-Mar-2019
https://dl.acm.org/doi/10.1145/3322645.3322679
Oprea ALi ZNorris RBowers K(2018)MADEProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274710(124-136)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274710
Zhauniarovich YKhalil IYu TDacier M(2018)A Survey on Malicious Domains Detection through DNS Data AnalysisACM Computing Surveys10.1145/319132951:4(1-36)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3191329
Khalil IGuan BNabeel MYu TZhao ZAhn GKrishnan RGhinita G(2018)A Domain is only as Good as its BuddiesProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176329(330-341)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176329
Chiba DYagi TAkiyama MShibahara TMori TGoto S(2018)DomainProfilerInternational Journal of Information Security10.1007/s10207-017-0396-717:6(661-680)Online publication date: 1-Nov-2018
https://dl.acm.org/doi/10.1007/s10207-017-0396-7
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks

GMAD: Graph-based Malware Activity Detection by DNS traffic analysis

Identifying botnets by capturing group activities in DNS traffic

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations