Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery

ASIA CCS 2014 - Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security

Volumn , Issue , 2014, Pages 39-50

  Zhang, Hao ^a   Yao, Danfeng ^a   Ramakrishnan, Naren ^a  

^a Virginia Polytechnic Institute and State University   (United States)

Author keywords

Anomaly detection; Network security; Stealthy malware

Indexed keywords

COMPUTER CRIME; MALWARE;

ANOMALY DETECTION; DOMAIN KNOWLEDGE; EXPERIMENTAL EVALUATION; NETWORKED COMPUTERS; NEW APPROACHES; STEALTHY MALWARE; TRAFFIC ANALYSIS;

NETWORK SECURITY;

EID: 84984908573     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2590296.2590309     Document Type: Conference Paper

References (44)

1. DNScat. A tool to tunnel traffic through DNS servers. http://tadek.pietraszek.org/projects/DNScat/.
2. Tlogger. An Firefox extension. http://dubroy.com/tlogger/.
3. H. Almohri, D. Yao, and D. Kafura. Process authentication for high system assurance. IEEE Transaction on Dependable and Secure Computing (TDSC), 2014.
4. D. Babić, D. Reynaud, and D. Song. Malware analysis with tree automata inference. In Computer Aided Verification, pages 116-131. Springer, 2011.
5. L. Backstrom and J. Leskovec. Supervised random walks: predicting and recommending links in social networks. In Proceedings of the fourth ACM international conference on Web search and data mining, pages 635-644. ACM, 2011.
6. R. Baeza-Yates, B. Ribeiro-Neto, et al. Modern information retrieval, volume 463. ACM press New York, 1999.
7. P. V. Bahl, R. Chandra, A. Greenberg, S. Kandula, D. Maltz, and M. Zhang. Towards highly reliable enterprise network services via inference of multi-level dependencies. In Proceedings of ACM SIGCOMM, August 2007.
8. L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), February 2011.
9. X. Chen, M. Zhang, Z. M. Mao, and P. Bahl. Automating network application dependency discovery: Experiences, limitations, and new solutions. In Proceedings of OSDI, pages 117-130, 2008. USENIX Association.
10. H.-K. Choi and J. O. Limb. A behavioral model of web traffic. In Network Protocols, 1999.(ICNP'99) Proceedings. Seventh International Conference on, pages 327-334.
11. M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In ISEC, pages 5-14, 2008.
12. C. Cortes and V. Vapnik. Support-vector networks. Machine learning, 20(3):273-297, 1995.
13. M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of 19th International World Wide Web Conference, 2010.
14. W. Cui, Y. H. Katz, and W. tian Tan. BINDER: An Extrusion-based Break-In Detector for Personal Computers. In Proceedings: USENIX Annual Technical Conference, page 4, 2005.
15. C. Elkan. The foundations of cost-sensitive learning. In International joint conference on artificial intelligence, volume 17, pages 973-978, 2001.
16. L. Getoor and C. P. Diehl. Link mining: a survey. SIGKDD Explor. Newsl., 7(2):3-12, Dec. 2005.
17. T. M. Green, W. Ribarsky, and B. Fisher. Visual analytics for complex concepts using a human cognition model. In Visual Analytics Science and Technology, 2008. VAST'08. IEEE Symposium on, pages 91-98. IEEE, 2008.
18. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium, 2008.
19. R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy. Not-a-Bot: Improving service availability in the face of botnet attacks. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NDSI), 2009.
20. G. John and P. Langley. Estimating continuous distributions in Bayesian classifiers. In Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pages 338-345. Morgan Kaufmann, 1995.
21. I. Kahanda and J. Neville. Using transactional information to predict link strength in online social networks. In Proceedings of the Third International Conference on Weblogs and Social Media (ICWSM), 2009.
22. S. Kandula, R. Chandra, and D. Katabi. What's going on? Learning communication rules in edge networks. In Proceedings of ACM SIGCOMM, August 2008.
23. A. Keller, U. Blumenthal, and G. Kar. Classification and computation of dependencies for distributed management. In Proceedings of International Symposium on Computers and Communications, pages 78-83, 2000.
24. S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen. Enriching intrusion alerts through multi-host causality. In Proceedings of Network and Distributed System Security (NDSS), 2005.
25. C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X.-y. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In USENIX Security Symposium, pages 351-366, 2009.
26. W. Lee, S. J. Stolfo, and K. W. Mok. A data mining framework for building intrusion detection models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 120-132. IEEE, 1999.
27. Z. Li, M. Zhang, Z. Zhu, Y. Chen, A. G. Greenberg, and Y.-M. Wang. WebProphet: Automating performance prediction for web services. In NSDI, volume 10, 2010.
28. D. Liben-Nowell and J. Kleinberg. The link-prediction problem for social networks. Journal of the American society for information science and technology, 58(7):1019-1031, 2007.
29. P. Likarish, E. E. Jung, and I. Jo. Obfuscated malicious JavaScript detection using classification techniques. In Proceedings of 4th International Conference on Malicious and Unwanted Software, 2009.
30. C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer. Using machine learning techniques to identify botnet traffic. In 2nd IEEE LCN Workshop on Network Security (WoNS) 2006, pages 967-974, 2006.
31. A. Natarajan, P. Ning, Y. Liu, S. Jajodia, and S. E. Hutchinson. NSDMiner: Automated discovery of network service dependencies. In INFOCOM, pages 2507-2515, 2012.
32. T. T. T. Nguyen and G. J. Armitage. A survey of techniques for internet traffic classification using machine learning. IEEE Communications Surveys and Tutorials, 10(1-4):56-76, 2008.
33. Panda Security Report. 2013. http://press.pandasecurity.com/press-room/reports/.
34. Botnet Pony 1.9 Malware. http://laboratoriomalware. blogspot.com/2013/01/botnet-pony-19-malware.html.
35. A. Srivastava, S. Sural, and A. Majumdar. Database intrusion detection using weighted sequence mining. Journal of Computers, 1(4):8-17, 2006.
36. D. Stefan, C. Wu, D. Yao, and G. Xu. Cryptographic provenance verification for the integrity of keystrokes and outbound network traffic. In Proceedings of the 8th International Conference on Applied Cryptography and Network Security (ACNS), June 2010.
37. H. Tan, N. Goharian, and M. Sherr. $100, 000 prize jackpot. Call now!: Identifying the pertinent features of SMS spam. In Proceedings of the 35th international ACM SIGIR conference on Research and development in information retrieval, pages 1175-1176. ACM, 2012.
38. N. Williams, S. Zander, and G. Armitage. A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification. SIGCOMM Comput. Commun. Rev., 36(5):5-16, Oct. 2006.
39. P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy. Using Bayesian networks for cyber security analysis. In Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on, pages 211-220. IEEE, 2010.
40. K. Xu, P. Butler, S. Saha, and D. Yao. DNS for massive-scale command and control. IEEE Trans. Dependable Sec. Comput., 10(3):143-153, 2013.
41. K. Xu, H. Xiong, C. Wu, D. Stefan, and D. Yao. Data-provenance verification for secure hosts. IEEE Trans. Dependable Sec. Comput., 9(2):173-183, 2012.
42. C. Yang, R. C. Harkreader, and G. Gu. Die free or live hard? Empirical evaluation and new design for fighting evolving twitter spammers. In Recent Advances in Intrusion Detection, pages 318-337. Springer, 2011.
43. A. Zand, G. Vigna, R. Kemmerer, and C. Kruegel. Rippler: Delay injection for service dependency detection. Technical report, UCSB, 2013.
44. H. Zhang, W. Banick, D. Yao, and N. Ramakrishnan. User intention-based traffic dependence analysis for anomaly detection. In Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, pages 104-112. IEEE, 2012.