research-article

Co-Clustering Host-Domain Graphs to Discover Malware Infection

Authors:

XiaoSong Zhang,

Jiangchao LiAuthors Info & Claims

AIAM 2019: Proceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing

Article No.: 49, Pages 1 - 6

https://doi.org/10.1145/3358331.3358380

Published: 17 October 2019 Publication History

Abstract

Malware is at root of most of cyber-attacks, which has led to billions of dollars in damage every year. Most malware, especially Advanced Persistent Threat (APT) malware make use of Domain Name System (DNS) to control compromised machines and steal sensitive information. Therefore, several security products identified malware infection by combining machine learning technology with DNS data. However, the existing detection approaches cannot simultaneously identify both malicious domain names and infected hosts. To solve the problem, this work proposed a co-clustering based detection approach without labeled data, which integrates active DNS data with graph inference. According to active DNS data, a host-domain graph was generated in the first. Then partial domain nodes were labeled under the aid of blacklist, popular domain list, and Alexa ranking. At last, semi-supervised co-clustering was used to discover potential malicious domains and malware-infected hosts in the monitored network. This work implemented experiments in a network of hundreds of internal hosts that access 145 malware domains. Experimental results showed that the proposed detection approach was able to identify malware domains with up to 97.2% true positives. This work also compared and analyzed the results using different cluster calculating formulas with two different bipartite edge weights. Results showed that clustering with maximum and minimum edge weights has a better tolerance to different distance calculation methods.

References

[1]

M. Ask, P. Bondarenko, J. E. Rekdal, A. Nordbo, P. Bloemerus, D. Piatkivskyi, Advanced persistent threat (APT) beyond the hype. Project Report in IMT4582 Network Security at Gjovik University College, Springer.

[2]

A. K. Sood, R. J. Enbody. Targeted cyberattacks: a superset of advanced persistent threats. IEEE security & privacy 11(1): 54--61.

[3]

M. Marchetti, F. Pierazzi, M Colajanni, A. Guido (2016). Analysis of high volumes of network traffic for Advanced Persistent Threat detection. Computer Networks, 109, 127--141.

Digital Library

[4]

Gardiner J, Nagaraja S (2016). On the security of machine learning in malware c&c detection: A survey. ACM Computing Surveys (CSUR), 49(3), 59.

Digital Library

[5]

S. Xu, S. Li, K. Meng, L. Wu, M. Ding (2017). An Adaptive Malicious Domain Detection Mechanism with dns traffic, in: Proceedings of the 2017 VI International Conference on Network, Communication and Computing, ACM, 86--91.

Digital Library

[6]

G. Zhao, K. Xu, L. Xu, B. Wu (2015). Detecting APT malware infections based on malicious DNS and traffic analysis, IEEE Access 3, 1132--1142.

[7]

W. Niu, X. Zhang, G. Yang, J. Zhu, Z. Ren (2017). Identifying apt malware domain based on mobile dns logging. Mathematical Problems in Engineering.

[8]

X. Du, H.-H. Chen, Security in wireless sensor networks, IEEE Wireless Communications 15 (4).

[9]

Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, M. Galloway (2007). A survey of key management schemes in wireless sensor networks, Computer communications 30 (11--12), 2314--2341.

[10]

Du, M. Guizani, Y. Xiao, H.-H. Chen (2009). A routing-driven elliptic vurve cryptography based key management scheme for heterogeneous sensor networks, IEEE Transactions on Wireless Communications 8(3), 1223--1229.

Digital Library

[11]

F. X. Du, Y. Xiao, M. Guizani, H.-H. Chen (2007). An effective key management scheme for heterogeneous sensor networks, Ad Hoc Networks 5(1), 24--34.

[12]

J Gardiner, S. Nagaraja (2016). On the security of machine learning in malware c&c detection: A survey, ACM Computing Surveys (CSUR), 49(3), 59.

Digital Library

[13]

Neugschwandtner, P. M. Comparetti, C. Platzer, Detecting malware's failover c&c strategies with squeeze (2011). in: Proceedings of the 27th annual computer security applications conference. ACM, 21--30.

[14]

K. Xu, P. Butler, S. Saha, D. D. Yao (2013). DNS for massive-scale command and control, IEEE Transactions on Dependable and Secure Computing.

Digital Library

[15]

H. Choi, H. Lee (2012). Identifying botnets by capturing group activities in DNS traffic, Computer Networks 56(1), 20--33.

Digital Library

[16]

M Thomas, A. Mohaisen (2014). Kindred domains: detecting and clustering botnet domains using dns traffic, in: Proceedings of the 23rd International Conference on World Wide Web. ACM, 707--712.

Digital Library

[17]

R. Sharifnya, M. Abadi (2015). Dfbotkiller: domain-flux botnet detection based on the history of group activities and failures in DNS traffic, Digital Investigation, 12, 15--26.

Digital Library

[18]

Y. Zhou, Q. Li, Q. Miao, K. Yim (2013). Dga-based botnet detection using dns traffic, J. Internet Serv. Inf. Secur., 3(3/4), 116--123.

[19]

. Antomakakis, R. Perdisci, D. Dagon, W. Lee, N. Feamster (2010). Building a dynamic reputation system for dns, in: USENIX security symposium, 273--290.

[20]

L. Bilge, E. Kirda, C. Kruegel, M. Balduzzi (2011). Exposure: Finding malicious domains using passive dns analysis, in: Ndss.

[21]

N. Jiang, J. Cao, Y. Jin, L. E. Li, Z.-L (2010). Identifying suspicious activities through dns failure graph analysis, in: Network Protocols (ICNP), 2010 18th IEEE International Conference on, IEEE, 144--153.

Digital Library

[22]

F. Zou, S. Zhang, W. Rao, P. Yi (2015). Detecting malware based on dns graph mining, International Journal of Distributed Sensor Networks 11(10), 102687.

[23]

A. Berger, A. DAlconzo, W. N. Gansterer, A. Pescape (2016). Mining agile dns traffic using graph analysis for cybercrime detection, Computer Networks, 100, 28--44.

Digital Library

[24]

P. Camelo, J. Moura, L. Krippahl. Condenser: A graph-based approachfor detecting botnets, arXiv preprint arXiv:1410. 8747

[25]

P. K. Manadhata, S. Yadav, P. Rao, W. Horne (2014). Detecting malicious domains via graph inference, in: European Symposium on Research in Computer Security. Springer, 1--18.

Digital Library

[26]

J. Lee, H. Lee (2014). Gmad: Graph-based Malware Activity Detection by DNS traffic analysis, Computer Communications, 49, 33--47.

Digital Library

[27]

I. Khalil, T. Yu, B. Guan (2016). Discovering malicious domains through passive DNS data graph analysis, in: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 663--674.

Digital Library

[28]

B. Rahbarinia, R. Perdisci, M. Antonakakis (2015). Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks, in: Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on. IEEE, 403--414.

Digital Library

[29]

L. Shi, D. Lin, C. V. Fang, Y. Zhai (2015). A hybrid learning from multi-behavior for malicious domain detection on enterprise network, in: Data Mining Workshop (ICDMW), 2015 IEEE International Conference on. IEEE, 987--996.

Digital Library

Cited By

Mvula PBranco PJourdan GViktor H(2024)A Survey on the Applications of Semi-Supervised Learning to Cyber-SecurityACM Computing Surveys10.1145/3657647Online publication date: 11-Apr-2024
https://dl.acm.org/doi/10.1145/3657647
Shen HLiu XZhang X(2022)A Detection Method for Social Network Images with Spam, Based on Deep Neural Network and Frequency Domain Pre-ProcessingElectronics10.3390/electronics1107108111:7(1081)Online publication date: 29-Mar-2022
https://doi.org/10.3390/electronics11071081
MacAskill NWilkins ZZincir-Heywood N(2021)Scaling Multi-Objective Optimization for Clustering Malware2021 IEEE Symposium Series on Computational Intelligence (SSCI)10.1109/SSCI50451.2021.9659925(1-8)Online publication date: 5-Dec-2021
https://doi.org/10.1109/SSCI50451.2021.9659925

Index Terms

Co-Clustering Host-Domain Graphs to Discover Malware Infection
1. Security and privacy
  1. Network security
    1. Web protocol security

Recommendations

Malware detection using DNS records and domain name features
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed Systems

As billions of people depend on Internet application to perform day to day tasks, the prevalent of malwares and online attacks cause a huge loss to global Internet economy prevalent. Domain name system is one of the core components of the Internet, ...
Detecting PE infection-based malware

Organisations have employed multiple layers of defence mechanisms, while numerous attacks still take place every day. Malware is a major vehicle to perform attacks such as stealing confidential information, disrupting services, or sabotaging industrial ...
New approach for APT malware detection on the workstation based on process profile

The Advanced Persistent Threat (APT) attack is a form of dangerous, intentionally and clearly targeted attack. Currently, the APT attack trend is through the end-users and then escalating privileges in the system by spreading malware which is widely used ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

AIAM 2019: Proceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing

October 2019

418 pages

ISBN:9781450372022

DOI:10.1145/3358331

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

AIAM 2019

AIAM 2019: 2019 International Conference on Artificial Intelligence and Advanced Manufacturing

October 17 - 19, 2019

Dublin, Ireland

Acceptance Rates

Overall Acceptance Rate 100 of 285 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
131
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mvula PBranco PJourdan GViktor H(2024)A Survey on the Applications of Semi-Supervised Learning to Cyber-SecurityACM Computing Surveys10.1145/3657647Online publication date: 11-Apr-2024
https://dl.acm.org/doi/10.1145/3657647
Shen HLiu XZhang X(2022)A Detection Method for Social Network Images with Spam, Based on Deep Neural Network and Frequency Domain Pre-ProcessingElectronics10.3390/electronics1107108111:7(1081)Online publication date: 29-Mar-2022
https://doi.org/10.3390/electronics11071081
MacAskill NWilkins ZZincir-Heywood N(2021)Scaling Multi-Objective Optimization for Clustering Malware2021 IEEE Symposium Series on Computational Intelligence (SSCI)10.1109/SSCI50451.2021.9659925(1-8)Online publication date: 5-Dec-2021
https://doi.org/10.1109/SSCI50451.2021.9659925

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents