Malware Beaconing Detection by Mining Large-scale DNS Logs for Targeted Attack Identification

One of the leading problems in Cyber Security today is the emergence of targeted attacks conducted by adversaries with access to sophisticated tools. These attacks usually steal senior level employee system privileges, in order to gain unauthorized access to confidential knowledge and valuable intellectual property. Malware used for initial compromise of the systems are sophisticated and may target zero-day vulnerabilities. In this work we utilize common behaviour of malware called ”beacon”, which implies that infected hosts communicate to Command and Control servers at regular intervals that have relatively small time variations. By analysing such beacon activity through passive network monitoring, it is possible to detect potential malware infections. So, we focus on time gaps as indicators of possible C2 activity in targeted enterprise networks. We represent DNS log files as a graph, whose vertices are destination domains and edges are timestamps. Then by using four periodicity detection algorithms for each pair of internal-external communications, we check timestamp sequences to identify the beacon activities. Finally, based on the graph structure, we infer the existence of other infected hosts and malicious domains enrolled in the attack activities Keywords—Malware detection, network security, targeted attack.

[1]  Walid G. Aref,et al.  Multiple and Partial Periodicity Mining in Time Series Databases , 2002, ECAI.

[2]  Walid G. Aref,et al.  WARP: time warping for periodicity detection , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[3]  Walid G. Aref,et al.  Periodicity detection in time series databases , 2005, IEEE Transactions on Knowledge and Data Engineering.

[4]  Reda Alhajj,et al.  STNR: A suffix tree based noise resilient algorithm for periodicity detection in time series databases , 2010, Applied Intelligence.

[5]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[6]  Joseph M. Hellerstein,et al.  GraphLab: A New Framework For Parallel Machine Learning , 2010, UAI.

[7]  Feng Liu,et al.  Modeling Connections Behavior for Web-Based Bots Detection , 2010, 2010 2nd International Conference on E-business and Information System Security.

[8]  Jie He,et al.  Detecting P2P bots by mining the regional periodicity , 2013, Journal of Zhejiang University SCIENCE C.

[9]  Jishakrishnan,et al.  PERIODICITY DETECTION ALGORITHMS IN TIME SERIES DATABASES-A SURVEY , 2013 .

[10]  L. V. Duijn project-Report Beacon detection in PCAP files , 2014 .

[11]  Zhou Li,et al.  Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data , 2014, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.