Abstract
Despite the efforts of information security experts, cybercrimes are still emerging at an alarming rate. Among the tools used by cybercriminals, malicious domains are indispensable and harm from the Internet has become a global problem. Malicious domains play an important role from SPAM and Cross-Site Scripting (XSS) threats to Botnet and Advanced Persistent Threat (APT) attacks at large scales. To ensure there is not a single point of failure or to prevent their detection and blocking, malware authors have employed domain generation algorithms (DGAs) and domain-flux techniques to generate a large number of domain names for malicious servers. As a result, malicious servers are difficult to detect and remove. Furthermore, the clues of cybercrime are stored in network traffic logs, but analyzing long-term big network traffic data is a challenge. To adapt the technology of cybercrimes and automatically detect unknown malicious threats, we previously proposed a system called MD-Miner. To improve its efficiency and accuracy, we propose the MD-MinerP here, which generates more features with identification capabilities in the feature extraction stage. Moreover, MD-MinerP adapts interaction profiling bipartite graphs instead of annotated bipartite graphs. The experimental results show that MD-MinerP has better area under curve (AUC) results and found new malicious domains that could not be recognized by other threat intelligence systems. The MD-MinerP exhibits both scalability and applicability, which has been experimentally validated on actual enterprise network traffic.
Highlights
Cybercrimes are becoming increasingly serious with the proliferation of Internet devices and applications
Cybercriminals and malware authors leverage hidden and slow APT attacks and various techniques, such as DGAs and domain-flux, to make them successful. By adopting technologies such as DGAs, these servers change their domain names and corresponding Internet protocol (IP) addresses over time to prevent being blocked by antivirus software or intrusion prevention systems [2]. e detection of malicious domains is difficult because of the defense dilemma caused by the long-term attack and the volatility of their domain names
Erefore, we proposed the MD-Miner (MD stands for malicious domain) that adapts big data analysis with a scalability framework. e process utilizes network traffic to build a Process-domain annotated graph that discovers who is connecting with what. e MD-Miner uses user-agent plus client-IP as a feature to distinguish the distinct processes and incorporates this into the annotated bipartite graph to become the Process-domain annotated graph. e evaluation in [12] shows that the MD-Miner can determine a part of unknown domains that has a high probability of being malicious and demonstrates great identifiability, but there is still room for further improvement
Summary
MD-MinerP: Interaction Profiling Bipartite Graph Mining for Malware-Control Domain Detection. Malicious domains play an important role from SPAM and Cross-Site Scripting (XSS) threats to Botnet and Advanced Persistent reat (APT) attacks at large scales. To ensure there is not a single point of failure or to prevent their detection and blocking, malware authors have employed domain generation algorithms (DGAs) and domain-flux techniques to generate a large number of domain names for malicious servers. To adapt the technology of cybercrimes and automatically detect unknown malicious threats, we previously proposed a system called MD-Miner. MD-MinerP adapts interaction profiling bipartite graphs instead of annotated bipartite graphs. E experimental results show that MD-MinerP has better area under curve (AUC) results and found new malicious domains that could not be recognized by other threat intelligence systems. E experimental results show that MD-MinerP has better area under curve (AUC) results and found new malicious domains that could not be recognized by other threat intelligence systems. e MD-MinerP exhibits both scalability and applicability, which has been experimentally validated on actual enterprise network traffic
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
