MD-Miner: Behavior-Based Tracking of Network Traffic for Malware-Control Domain Detection

Malicious domains are basic tools in the hands of cybercriminals. Once a victim is malware-infected, malware will tend to connect malicious domains to do internet crime such as awaiting the remote control command or delivering the malware reported feedback. Recent studies have paid much effort on detecting malicious domains, but still have room to improve. For the purpose of detecting malicious domains efficiently and accurately, we propose MD-Miner, a novel scalable system that tracks new malicious domains in large-volume of network traffic data. MD-Miner monitors the network traffic to build a process-domain bipartite graph representing who is connecting what. After labeling nodes in this process-domain graph that are known to be either benign or malicious-related, we propose a novel approach to accurately detect previously unknown malicious domains. In this paper, we implemented a proof-of-concept version of MD-Miner with assistance of MapReduce architecture. The experiment results show that MD-Miner can achieve AUC as good as 95% and find new malicious domain which cannot be identified by other reputation system. In addition, the scalability and applicability of MD-Miner is demonstrated by experiments on the real-world enterprise network traffic.

[1]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[2]  Christos Faloutsos,et al.  Polonium: Tera-Scale Graph Mining and Inference for Malware Detection , 2011 .

[3]  William K. Robertson,et al.  Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks , 2013, ACSAC.

[4]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[5]  Babak Rahbarinia,et al.  Efficient and Accurate Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks , 2016, ACM Trans. Priv. Secur..

[6]  Bong-Nam Noh,et al.  The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability , 2008, 2008 International Conference on Security Technology.

[7]  Robert Tibshirani,et al.  The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd Edition , 2001, Springer Series in Statistics.

[8]  Chien-Chih Chen,et al.  Scalable command and control detection in log data through UF-ICF analysis , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[9]  Radu State,et al.  BotCloud: Detecting botnets using MapReduce , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[10]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[11]  Yi-Ming Chen,et al.  N-Victims: An Approach to Determine N-Victims for APT Investigations , 2012, WISA.

[12]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[13]  Chien-Chih Chen,et al.  Ctracer: Uncover C&C in Advanced Persistent Threats Based on Scalable Framework for Enterprise Log Data , 2015, 2015 IEEE International Congress on Big Data.

[14]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[15]  J. Franklin,et al.  The elements of statistical learning: data mining, inference and prediction , 2005 .

[16]  Alvaro A. Cárdenas,et al.  Big Data Analytics for Security , 2013, IEEE Security & Privacy.

[17]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[18]  Babak Rahbarinia,et al.  Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[19]  Wilfried N. Gansterer,et al.  On the detection and identification of botnets , 2010, Comput. Secur..