Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware

  • Andrew G. West
  • Aziz Mohaisen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8550)

Abstract

Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.

Leveraging 28,000 expert-labeled endpoints derived from ≈100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints’ static metadata properties and not network payloads or routing dynamics. Performance validates this straightforward approach, achieving 99.4% accuracy at binary threat classification and 93% accuracy on the more granular task of severity prediction. This performance is driven by features capturing a domain’s behavioral history and registration properties. More qualitatively we discover the prominent role that dynamic DNS providers and “shared-use” public services play as perpetrators seek agile and cost-effective hosting infrastructure.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proc. of 19th USENIX Sec. Sym. (2010)Google Scholar
  2. 2.
    Antonakakis, M., Perdisci, R., Lee II, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proc. of 20th USENIX Sec. Sym. (2011)Google Scholar
  3. 3.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: Detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Security Symposium (2012)Google Scholar
  4. 4.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS 2009: Proceedings of the 16th Network and Distributed System Security Symposium (2009)Google Scholar
  6. 6.
    Bilge, L., Balzarotti, D., Robertson, W.K., Kirda, E., Kruegel, C.: Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In: ACSAC 2012: Proc. of the 28th Annual Comp. Security Apps. Conf. (2012)Google Scholar
  7. 7.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding malicious domains using passive DNS analysis. In: NDSS 2011: Proceedings of the 18th Network and Distributed System Security Symposium (2011)Google Scholar
  8. 8.
    Blum, A., Wardman, B., Solorio, T., Warner, G.: Lexical feature based phishing URL detection using online learning. In: AISec 2010: Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security (2010)Google Scholar
  9. 9.
    Caballero, J., Grieber, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)Google Scholar
  10. 10.
    Center for Strategic and International Studies and McAfee. The economic impact of cybercrime and cyber espionage (2013), http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
  11. 11.
    Chang, J., Venkatasubramanian, K.K., West, A.G., Lee, I.: Analyzing and defending against web-based malware. ACM Computing Surveys 45(4) (2013)Google Scholar
  12. 12.
    Dai, K., Zhao, L., Nie, Z., Wen, J.-R., Wang, L., Li, Y.: Detecting online commercial intention (OCI). In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web (2006)Google Scholar
  13. 13.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys 44(2) (2008)Google Scholar
  14. 14.
    Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET 2010: Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats (2010)Google Scholar
  15. 15.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)Google Scholar
  16. 16.
    Gu, G., Porris, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)Google Scholar
  17. 17.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS 2008: Proceedings of the 15th Network and Distributed System Security Symposium (2008)Google Scholar
  18. 18.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA data mining software: An update. SIGKDD Explorations 11(1) (2009)Google Scholar
  19. 19.
    Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: IMC 2013: Proceedings of the 13th ACM Conference on Internet Measurement (2013)Google Scholar
  20. 20.
    Jøsang, A., Ismail, R.: The beta reputation system. In: Proceedings of the 15th Bled eCommerce Conference (2002)Google Scholar
  21. 21.
    Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th USENIX Security Symposium (2009)Google Scholar
  22. 22.
    Kong, D., Yan, G.: Discriminant malware distance learning on structural information for automated malware classification. In: KDD 2013: Proceedings of the 19th SIGKDD Conference on Knowledge Discovery and Data Mining (2013)Google Scholar
  23. 23.
    Kosba, A.E., Mohaisen, A., West, A.G., Tonn, T.: ADAM: Automated detection and attribution of malicious webpages (poster). In: CNS 2013: Proc. of the 1st IEEE Conference on Communications and Network Security (2013)Google Scholar
  24. 24.
    Krebs, B.: Malware dragnet snags millions of infected PCs. Krebs on Security Blog (September 2012), http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/
  25. 25.
    Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G.M., Savage, S.: Click trajectories: End-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)Google Scholar
  26. 26.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: Learning to detect malicious web sites from suspicious URLs. In: KDD 2009: Proceedings of the 15th SIGKDD Conference on Knowledge Discovery and Data Mining (2009)Google Scholar
  27. 27.
    McGrath, D.K., Gupta, M.: Behind phishing: An examination of phisher modi operandi. In: LEET 2008: Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (2008)Google Scholar
  28. 28.
    Mohaisen, A., Alwari, O., Larson, M.: A methodical evaluation of antivirus scans and labels. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 231–241. Springer, Heidelberg (2013)Google Scholar
  29. 29.
    Ntoulas, A., Najor, M., Manasse, M., Fetterly, D.: Detecting spam web pages through content analysis. In: WWW 2006: Proceedings of the 15th International World Wide Web Conference (2006)Google Scholar
  30. 30.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the 17th USENIX Security Symposium (2008)Google Scholar
  31. 31.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: et al. The ghost in the browser analysis of web-based malware. In: HotBots 2007: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (2007)Google Scholar
  32. 32.
    Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: Leveraging surfing crowds to detect malicious web pages. In: CCS 2013: Proceedings of the 20th ACM Conference on Cmputer and Communications Security (2013)Google Scholar
  33. 33.
    Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time URL spam filtering service. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)Google Scholar
  34. 34.
    West, A.G., Agrawal, A., Baker, P., Exline, B., Lee, I.: Autonomous link spam detection in purely collaborative environments. In: WikiSym 2011: Proceedings of the 7th International Symposium on Wikis and Open Collaboration (2011)Google Scholar
  35. 35.
    Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: IMC 2010: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (2010)Google Scholar
  36. 36.
    Yan, G., Brown, N., Kong, D.: Exploring discriminatory features for automated malware classification. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 41–61. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  37. 37.
    Yen, T.-F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., Kirda, E.: Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In: ACSAC 2013: Proceedings of the 29th Annual Computer Security Applications Conference (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Andrew G. West
    • 1
  • Aziz Mohaisen
    • 1
  1. 1.Verisign Labs – RestonUSA

Personalised recommendations