Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware

  • Andrew G. West
  • Aziz Mohaisen
Conference paper

DOI: 10.1007/978-3-319-08509-8_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8550)
Cite this paper as:
West A.G., Mohaisen A. (2014) Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware. In: Dietrich S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham

Abstract

Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.

Leveraging 28,000 expert-labeled endpoints derived from ≈100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints’ static metadata properties and not network payloads or routing dynamics. Performance validates this straightforward approach, achieving 99.4% accuracy at binary threat classification and 93% accuracy on the more granular task of severity prediction. This performance is driven by features capturing a domain’s behavioral history and registration properties. More qualitatively we discover the prominent role that dynamic DNS providers and “shared-use” public services play as perpetrators seek agile and cost-effective hosting infrastructure.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Andrew G. West
    • 1
  • Aziz Mohaisen
    • 1
  1. 1.Verisign Labs – RestonUSA

Personalised recommendations