Graph-theoretic characterization of cyber-threat infrastructures

In this paper, we investigate cyber-threats and the underlying infrastructures. More precisely, we detect and analyze cyber-threat infrastructures for the purpose of unveiling key players (owners, domains, IPs, organizations, malware families, etc.) and the relationships between these players. To this end, we propose metrics to measure the badness of different infrastructure elements using graph theoretic concepts such as centrality concepts and Google PageRank. In addition, we quantify the sharing of infrastructure elements among different malware samples and families to unveil potential groups that are behind specific attacks. Moreover, we study the evolution of cyber-threat infrastructures over time to infer patterns of cyber-criminal activities. The proposed study provides the capability to derive insights and intelligence about cyber-threat infrastructures. Using one year dataset, we generate notable results regarding emerging threats and campaigns, important players behind threats, linkages between cyber-threat infrastructure elements, patterns of cyber-crimes, etc.

[1]  Michail Matthaiou,et al.  International Wireless Communications and Mobile Computing Conference , 2008 .

[2]  Gert Sabidussi,et al.  The centrality index of a graph , 1966 .

[3]  S. V. N. Vishwanathan,et al.  Graph kernels , 2007 .

[4]  Timothy W. Finin,et al.  Why we twitter: understanding microblogging usage and communities , 2007, WebKDD/SNA-KDD '07.

[5]  Pierre Baldi,et al.  Graph kernels for chemical informatics , 2005, Neural Networks.

[6]  C. Dangalchev Residual closeness in networks , 2006 .

[7]  M. Zelen,et al.  Rethinking centrality: Methods and examples☆ , 1989 .

[8]  Ritika Wason,et al.  Comparative Analysis Of Pagerank And HITS Algorithms , 2012 .

[9]  Thomas Gärtner,et al.  A survey of kernels for structured data , 2003, SKDD.

[10]  Richard J. Enbody,et al.  Dissecting SpyEye - Understanding the design of third generation botnets , 2013, Comput. Networks.

[11]  Lars Backstrom,et al.  The Anatomy of the Facebook Social Graph , 2011, ArXiv.

[12]  Maurizio Martinelli,et al.  Exploiting DNS traffic to rank internet domains , 2013, 2013 IEEE International Conference on Communications Workshops (ICC).

[13]  Leonard M. Freeman,et al.  A set of measures of centrality based upon betweenness , 1977 .

[14]  Sergey Brin,et al.  The Anatomy of a Large-Scale Hypertextual Web Search Engine , 1998, Comput. Networks.

[15]  GärtnerThomas A survey of kernels for structured data , 2003 .

[16]  Wenke Lee,et al.  Connected Colors: Unveiling the Structure of Criminal Networks , 2013, RAID.

[17]  Maurizio Martinelli,et al.  Graph theoretical models of DNS traffic , 2013, 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC).

[18]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[19]  Wagner Meira,et al.  Min-Hash Fingerprints for Graph Kernels: A Trade-off among Accuracy, Efficiency, and Compression , 2012, J. Inf. Data Manag..

[20]  Stephen P. Borgatti,et al.  Centrality and network flow , 2005, Soc. Networks.

[21]  Phillip Bonacich,et al.  Some unique properties of eigenvector centrality , 2007, Soc. Networks.

[22]  Jean-Loup Guillaume,et al.  Fast unfolding of communities in large networks , 2008, 0803.0476.