GMAD: Graph-based malware activity detection by DNS traffic analysis

Computer Communications

Volumn 49, Issue , 2014, Pages 33-47

  Lee, Jehyun ^a   Lee, Heejo ^a  

^a Korea University   (South Korea)

Author keywords

Botnet; DNS; Graph clustering; Malware domain name; Sequential correlation

Indexed keywords

COMMAND AND CONTROL SYSTEMS; COMPLEX NETWORKS; COMPUTER CRIME; GRAPHIC METHODS; INTERNET PROTOCOLS; INTERNET SERVICE PROVIDERS;

BOTNET; DNS; DOMAIN NAMES; GRAPH CLUSTERING; SEQUENTIAL CORRELATIONS;

MALWARE;

EID: 84903303776     PISSN: 01403664     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comcom.2014.04.013     Document Type: Article

References (40)

1. D. Maslennikov, Y. amestnikov, Kaspersky Security Bulletin 2012, The overall statistics for 2012, Tech. rep., Kaspersky Lab, December 2012.
2. Symantec MessageLabs, Intelligence report, Tech. rep., Symantec Corporation, January 2013.
3. Symantec MessageLabs, Intelligence report, Tech. rep., Symantec Corporation, March 2011.
4. Symantec MessageLabs, Intelligence report, Tech. rep., Symantec Corporation, June 2011.
5. R. Perdisci, I. Corona, D. Dagon, and W. Lee Detecting malicious flux service networks through passive analysis of recursive DNS traces Proc. of the Annual Computer Security Applications Conf. (ACSAC) 2009 IEEE Computer Society 311 320
6. A. Ramachandran, N. Feamster, D. Dagon, Revealing botnet membership using dnsbl counter-intelligence, in: Proc. of the 2nd Conf. on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), USENIX Association, 2006, pp. 49-54.
7. J.A. Morales, A. Al-Bataineh, S. Xu, and R. Sandhu Analyzing DNS activities of bot processes Proc. of the 4th IEEE Intl. Conf. on Malicious and Unwanted Software (MALWARE) 2009 IEEE 98 103
8. H. Choi, H. Lee, and H. Kim BotGAD: detecting botnets by capturing group activities in network traffic Proc. of the 4th Intl. ICST Conf. on COMmunication System softWAre and middlewaRE (COMSWARE) 2009 ACM 1 8
9. H. Choi, and H. Lee Identifying botnets by capturing group activities in DNS traffic Comput. Netw. 56 1 2012 20 33
10. K. Ishibashi, T. Toyono, H. Hasegawa, and H. Yoshino Extending black domain name list by using co-occurrence relation between DNS queries IEICE Trans. Commun. 95 3 2012 794 802
11. M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, D. Dagon, From throw-away traffic to bots: detecting the rise of DGA-based malware, in: Proc. of the 21st USENIX Security Symposium, USENIX Association, 2012.
12. S. Yadav, A.K.K. Reddy, A.L.N. Reddy, and S. Ranjan Detecting algorithmically generated domain-flux attacks with DNS traffic analysis IEEE/ACM Trans. Netw. 20 5 2012 1663 1677
13. J. Wolf, Technical Details of Srizbi's Domain Generation Algorithm, Tech. rep., FireEye Malware Intelligence Lab, 2008.
14. P. Porras, H. Saidi, V. Yegneswaran, Conficker C Analysis, Tech. rep., SRI International, 2009.
15. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna Your botnet is my botnet: analysis of a botnet takeover Proc. of the 16th ACM Conf. on Computer and Communications Security (CCS) 2009 ACM 635 647
16. P. Lin Anatomy of the mega-D takedown Network Secur. 2009 12 2009 4 7
17. J. Lee, J. Kwon, H.-J. Shin, and H. Lee Tracking multiple C&C botnets by analyzing DNS traffic Proc. of the 6th IEEE Workshop on Secure Network Protocols (NPSec) 2010 IEEE 67 72
18. R. Villamarín-Salomón, J.C. Brustoloni, Bayesian bot detection based on DNS traffic similarity, in: Proc. of the 2009 ACM Symposium on Applied Computing (SAC, ACM, 2009, pp. 2035-2041.
19. G. Guofei, Z. Junjie, W. Lee, BotSniffer: detecting botnet command and control channels in network traffic, in: Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS), ISOC, 2008.
20. N. Shishir, M. Prateek, H. Chi-Yao, C. Matthew, B. Nikita, BotGrep: finding p2p bots with structured graph analysis, in: Proc. of the 19th USENIX Security Symposium, USENIX Association, 2010, pp. 95-110.
21. A. Yamada, H. Masanori, and Y. Miyake Web tracking site detection based on temporal link analysis Proc. of Intl. Conf. on Advanced Information Networking and Applications Workshops 2010 IEEE Computer Society 626 631
22. N. Jiang, J. Cao, Y. Jin, L.E. Li, and Z.-L. Zhang Identifying suspicious activities through DNS failure graph analysis Proc. of the 18th IEEE Intl. Conf. on Network Protocols (ICNP) 2010 IEEE 144 153
23. J.P. John, A. Moshchuk, S.D. Gribble, A. Krishnamurthy, Studying spamming botnets using botlab, in: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), USENIX Association, 2009, pp. 291-306.
24. G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, Bothunter: detecting malware infection through ids-driven dialog correlation, in: Proc. of 16th USENIX Security Symposium, USENIX Association, 2007, pp. 1-16.
25. Alexa Internet Inc, Alexa top sites. http://www.alexa.com.
26. J. Zhang, Y. Xie, F. Yu, D. Soukal, W. Lee, Intention and origination: an inside look at large-scale bot queries, in: Proc. of the 20th Annual Network and Distributed System Security Symposium (NDSS), ISOC, 2013.
27. V. Batagelj, A. Mrvar, M. Zaversnik, Pajek. http://pajek.imfm.si.
28. T. Kamada, and S. Kawai An algorithm for drawing general undirected graphs Inf. Process. Lett. 31 1989 7 15
29. DNS-BH project team, DNS-BH. http://www.malwaredomains.com.
30. MalwareDomainList, Malwaredomainlist.com. http://www.malwaredomainlist. com.
31. Malc0de, malc0de.com. http://malc0de.com/database.
32. Threat Expert Ltd., Threat expert. http://www.threatexpert.com.
33. Microsoft Corporation, Microsoft malware protection center. http://www.microsoft.com/security/portal.
34. Symantec Corporation, Symantec threat explorer. http://us.norton.com/ securityresponse/threatexplorer/index.jsp.
35. McAfee Inc, Site advisor. http://www.siteadvisor.com.
36. The MalwareURL Team, MalwareURL. http://www.malwareurl.com.
37. SURBL, SURBL: URI Reputation Data. http://www.surbl.org.
38. Microsoft Corporation, ATL collection classes. http://msdn.microsoft.com/ en-us/library/vstudio/15e672bd(v=vs.100).aspx.
39. R.E. Tarjan Depth-first search and linear graph algorithms SIAM J. Comput. 1 2 1972 146 160
40. H. Heaps Information Retrieval, Computational and Theoretical Aspects, Library and Information Science 1978 Academic Press