Abstract
We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of dga-based malware. In: USENIX Security, pp. 24–40 (2012)
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. In: 15th EICAR Conference (2006)
Bieganski, P., Riedl, J., Cartis, J., Retzel, E.: Generalized suffix trees for biological sequence data: applications and implementation. In: Proc. of International Conference on System Sciences, vol. 5, pp. 35–44 (1994)
Bu, Z., Bueno, P., Kashyap, R., Wosotowsky, A.: The new era of botnets. White paper from McAfee (2010)
Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proc. of KDD (1996)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol and structure independent botnet detection. In: Proc. of IEEE SSP (2008)
Jacob, G., Hund, R., Kruegel, C., Holz, T.: JackStraws: picking command and control connections from bot traffic. In: USENIX Security (2011)
Jaro, M.A.: Advances in record-linkage methodology as applied to matching the 1985 census of tampa, florida. Journal of the American Statistical Association 4 (1989)
Kartaltepe, E.J., Morales, J.A., Xu, S., Sandhu, R.: Social network-based botnet command-and-control: emerging threats and countermeasures. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 511–528. Springer, Heidelberg (2010)
Kheir, N.: Behavioral classification and detection of malware through http user agent anomalies. Journal of Information Security and Applications (2013)
Kheir, N., Han, X.: PeerViewer: behavioral tracking and classification of P2P malware. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 282–298. Springer, Heidelberg (2013)
Kheir, N., Wolley, C.: BotSuer: suing stealthy P2P bots in network traffic through netflow analysis. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 162–178. Springer, Heidelberg (2013)
Le, A., Markopoulou, A., Faloutsos, M.: Phishdef: URL names say it all. In: IEEE INFOCOM (2011)
Li, Z., Sanghi, M., Chen, Y., Kao, M.-Y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proc. of IEEE SSP (2006)
Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: BotGrep: finding p2p bots with structured graph analysis. In: USENIX Security (2010)
Nappa, A., Rafique, M.Z., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 1–20. Springer, Heidelberg (2013)
Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware’s failover C&C strategies with squeeze. In: Proc. of ACSAC (2011)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proc. of IEEE SSP, pp. 226–241. IEEE (2005)
Oberheide, J., Cooke, E., Jahanian, F.: CloudAV: N-version antivirus in the network cloud. In: USENIX Security (2008)
Perdisci, R., Ariu, D., Giacinto, G.: Scalable Fine-Grained Behavioral Clustering of HTTP-Based Malware. Special Issue on Botnet Activity: Analysis, Detection and Shutdown 57, 487–500 (2013)
Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proc. of IEEE SSP (2006)
Pham, D.T., Dimov, S.S., Nguyen, C.D.: An incremental K-means algorithm. Journal of Mechanical Engineering Science 218, 783–795 (2004)
Rafique, M.Z., Caballero, J.: FIRMA: malware clustering and network signature generation with mixed network behaviors. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 144–163. Springer, Heidelberg (2013)
Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kheir, N., Blanc, G., Debar, H., Garcia-Alfaro, J., Yang, D. (2015). Automated Classification of C&C Connections Through Malware URL Clustering. In: Federrath, H., Gollmann, D. (eds) ICT Systems Security and Privacy Protection. SEC 2015. IFIP Advances in Information and Communication Technology, vol 455. Springer, Cham. https://doi.org/10.1007/978-3-319-18467-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-18467-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-18466-1
Online ISBN: 978-3-319-18467-8
eBook Packages: Computer ScienceComputer Science (R0)