An Approach to Mine Suspicious Domain Based on HTTP Automated Software Communication Behavior

HTTP-based automated software (auto-ware) are blooming in utilizing in reaching Internet users. Unfortunately, beside normal auto-ware such as for software updating purpose, auto-ware can be also abnormal processes acting as fraudulent advertising software, virus, spyware, and malicious bots. Malicious HTTP auto-ware will generate requests/access in communication with its server to mimic normal behavior and bypass firewall or IDS which almost allow HTTP-based data exchange. Because of that, in a private network perimeter, identifying which clients having suspicious HTTP action/auto-ware is really a big challenge. In this paper, by observing and analysis the HTTP communication behavior of malicious auto-ware, Access Variation Graph of domain/server is proposed to distinguish between normal and malicious domains/servers. Based on that, a network-based method proposal in mining suspicious domain is presented. From these results, network administrators are able to find out which clients having suspicious access/auto-ware.

[1]  N. M. Tahir,et al.  An efficient false alarm reduction approach in HTTP-based botnet detection , 2013, 2013 IEEE Symposium on Computers & Informatics (ISCI).

[2]  Anil K. Jain,et al.  A modified Hausdorff distance for object matching , 1994, Proceedings of 12th International Conference on Pattern Recognition.

[3]  Michalis Faloutsos,et al.  PhishDef: URL names say it all , 2010, 2011 Proceedings IEEE INFOCOM.

[4]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[5]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[6]  Daniel P. Huttenlocher,et al.  Comparing Images Using the Hausdorff Distance , 1993, IEEE Trans. Pattern Anal. Mach. Intell..

[7]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[8]  Sen Yang,et al.  An Efficient Algorithm for Web Access Pattern Mining , 2007, Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007).