EXPOSURE: A passive DNS analysis service to detect and report malicious domains

ACM Transactions on Information and System Security

Volumn 16, Issue 4, 2014, Pages

  Bilge, Leyla ^a   Sen, Sevil ^b   Balzarotti, Davide ^c   Kirda, Engin ^d   Kruegel, Christopher ^e  

^a Symantec Research   (France)

^b HACETTEPE UNIVERSITY   (Turkey)

^c EURECOM   (France)

^d NORTHEASTERN UNIVERSITY   (United States)

^e UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Domain name system; Machine learning; Malicious domains

Indexed keywords

COMPUTER SCIENCE; LEARNING SYSTEMS; SAFETY ENGINEERING;

COMMAND-AND-CONTROL; CONTROLLED EXPERIMENT; DISTRIBUTED NETWORKS; DOMAIN NAME SERVICE; DOMAIN NAME SYSTEM; MALICIOUS ACTIVITIES; MONITORING AND ANALYSIS; ON-LINE SERVICE;

INTERNET PROTOCOLS;

EID: 84900328882     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/2584679     Document Type: Article

References (47)

1. Alexa. 2009. Alexa web information company. http://www.alexa.com/ topsites/.
2. Amini, B. 2008. Kraken botnet infiltration. http://dvlabs.tippingpoint. com/blog/2008/04/28/kraken-botnetinfiltration.
3. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th Usenix Security Symposium.
4. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., and Dagon, D. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the 20th Usenix Security Symposium.
5. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. 2012. From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st Usenix Security Symposium.
6. Basseville, M. and Nikiforov, I. V. 1993. Detection of Abrupt Changes - Theory and Application. Prentice-Hall.
7. Bayer, U., Kruegel, C., and Kirda, E. 2006. TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th EICAR Conference.
8. Berkhin, P. 2002. Survey of clustering data mining techniques. Tech. rep. http://www.cc.gatech.edu/∼isbell/classes/reading/papers/berkhin02survey. pdf.
9. Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. Exposure: Finding malicious domains using passive DNS analysis. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS'11).
10. Bradley, A. P. 1997. The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recogn. 30, 1145-1159.
11. Choi, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in DNS traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technologies.
12. Chu, S., Keogh, E., Hart, D., Pazzani, M., and Michael. 2002. Iterative deepening dynamic time warping for time series. In Proceedings of the 2nd SIAM International Conference on Data Mining.
13. Cova, M. 2013. Wepawet. http://wepawet.iseclab.org/.
14. DNS. 2010. DNSBL - Spam database lookup. http://www.dnsbl.info/.
15. Domains, M. 2009. Malware domain block list. http://www.malwaredomains. com/.
16. ECJ. 2012. ecj20: A java-based evolutionary computation research system. http://cs.gmu.edu/eclab/projects/ecj/.
17. Felegyhazi, M., Kreibich, C., and Paxson, V. 2010. On the potential of proactive domain blacklisting. In Proceedings of the 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET'10).
18. Google. 2010. Google safe browsing. http://www.google.com/tools/firefox/ safebrowsing/.
19. Holz, T., Gorecki, C., Rieck, K., and Freiling, F. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS'08).
20. ISC. 2010. Internet systems consortium. https://sie.isc.org/.
21. Keogh, E., Chakrabarti, K., Pazzani, M., and Mehrotra, S. 2001. Locally adaptive dimensionality reduction for indexing large time series databases. In Proceedings of the ACM SIGMOD Conference on Management of Data (SIGMOD'01). 151-162.
22. Konte, M., Feamster, N., and Jung, J. 2009. Dynamics of online scam hosting infrastructure. In Proceedings of the Passive and Active Measurement Conference.
23. List, M. D. 2009a. Malware domains list. http://www.malwaredomainlist. com/mdl.php.
24. List, Z. B. 2009b. Zeus domain blocklist. https://zeustracker.abuse.ch/ blocklist.php?download=Domainblocklist.
25. Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. 2009. Beyond blacklists: Learning to detect malicious web sites from suspicious urls. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD'09). 1245-1254.
26. McAfee. 2010. McAfee siteadvisor. http://www.siteadvisor.com/.
27. Nazario, J. and Holz, T. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the International Conference on Malicious and Unwanted Software.
28. Norton. 2010. Norton safe web. http://safeweb.norton.com/.
29. Open Graph. 2013. The open graph viz platform. https://gephi.org.
30. Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. 2008. Fluxor: Detecting and monitoring fast-flux service networks. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'08).
31. Perdisci, R., Corona, I., Dagon, D., and Lee, W. 2009. Detecting malicious flux service networks through passive analysis of recursive dns traces. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC'09).
32. Phishtank. 2009. Phishtank. http://www.phishtank.com/.
33. Porras, P., Saidi, H., and Yegneswaran, V. 2009. A foray into conficker's logic and rendezvous points. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats.
34. Quinlan, J. 1995. Learning with continuous classes. In Proceedings of the 5th Australian Joint Conference on Artificial Intelligence. World Scientific. 343-348.
35. RFC. 1995. RFC 1794 - DNS support for load balancing. http://tools.ietf.org/html/rfc1794.
36. RFC. 1996. RFC 1912 - Common dns operational and configuration errors. http://www.faqs.org/rfcs/rfc1912.html.
37. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communication Security (CCS'09).
38. Symantec. 2011. Symantec threat report. http://www.symantec.com/business/ theme.jsp?themeid=threatreport.
39. Theodoridis, S. and Koutroumbas, K. 2009. Pattern Recognition. Academic Press.
40. Turaga, D., Vlachos, M., and Verscheure, O. 2009. On k-means cluster preservation using quantization schemes. In Proceedings of the IEEE International Conference on Data Mining (ICDM'09).
41. Villamarn-Salomn, R. and Brustoloni, J. C. 2009. Bayesian bot detection based on dns traffic similarity. In Proceedings of the ACM Symposium on Applied Computing (SAC'09).
42. Weimer, F. 2005. Passive DNS replication. In Proceedings of the 1st Conference on Computer Security Incident.
43. WHOIS. 1995. RFC1834 - Whois and network information lookup service, whois++. http://www.faqs.org/rfcs/rfc1834.html.
44. Witten, I. and Frank, E. 2005. Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, San Fransisco, CA.
45. Wolf, J. 2008. Technical details of srizbis domain generation algorithm. http://tinyurl.com/6mdasc.
46. Zdrnja, B., Brownlee, N., and Wessels, D. 2007. Passive monitoring of dns anomalies. In Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'07). 129-139.
47. Zitouni, H., Sevil, S., Ozkan, D., and Duygulu, P. 2008. Re-ranking of image search results using a graph algorithm. In Proceedings of the 9th International Conference on Pattern Recognition.