Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32759
Malware Beaconing Detection by Mining Large-scale DNS Logs for Targeted Attack Identification

Authors: Andrii Shalaginov, Katrin Franke, Xiongwei Huang

Abstract:

One of the leading problems in Cyber Security today is the emergence of targeted attacks conducted by adversaries with access to sophisticated tools. These attacks usually steal senior level employee system privileges, in order to gain unauthorized access to confidential knowledge and valuable intellectual property. Malware used for initial compromise of the systems are sophisticated and may target zero-day vulnerabilities. In this work we utilize common behaviour of malware called ”beacon”, which implies that infected hosts communicate to Command and Control servers at regular intervals that have relatively small time variations. By analysing such beacon activity through passive network monitoring, it is possible to detect potential malware infections. So, we focus on time gaps as indicators of possible C2 activity in targeted enterprise networks. We represent DNS log files as a graph, whose vertices are destination domains and edges are timestamps. Then by using four periodicity detection algorithms for each pair of internal-external communications, we check timestamp sequences to identify the beacon activities. Finally, based on the graph structure, we infer the existence of other infected hosts and malicious domains enrolled in the attack activities.

Keywords: Malware detection, network security, targeted attack.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1123927

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 5945

References:


[1] “Targeted Attacks - Definition - Trend Micro USA.” http://www. trendmicro.com/vinfo/us/security/definition/targeted-attacks. Access date: 2015-02-27.
[2] “New anti-APT tools are no silver bullets: An independent test of APT attack detection appliances | MRG Effitas Blog.” https://blog.mrg-effitas. com/. Access date: 2015-05-24.
[3] “Compromise assessment,” tech. rep., Mandiant, https://dl.mandiant. com/EE/assets/DS CompromiseAssessments 140207.pdf. accessed: 08.12.2015.
[4] “APT INFECTION DISCOVERY USING DNS DATA (info:lanl-repo/lareport/LA-UR-13-23109).” http://permalink. lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-13-23109, 2013. Access date: 2015-05-24.
[5] N. Villeneuve and J. Bennett, “Detecting apt activity with network traffic analysis,” Trend Micro Incorporated, 2012.
[6] “contagio: Mandiant APT1 samples categorized by malware families.” http://contagiodump.blogspot.no/2013/03/ mandiant-apt1-samples-categorized-by.html. Access date: 2015-05-24.
[7] “Command and Control in Fifth DomianCOMMAND FIVE PTY LTD - Engineering Innovation | Research.” https://www.commandfive.com/ research.html, 2011. Access date: 2015-05-19.
[8] Y. Low, J. Gonzalez, A. Kyrola, D. Bickson, C. Guestrin, and J. M. Hellerstein, “Graphlab: A new framework for parallel machine learning,” CoRR, vol. abs/1006.4990, 2010.
[9] X. Huang, “Understanding beacon for identifying targeted attack by mining large-scale log data,” Master’s thesis, Gjøvik University College, 2015.
[10] A. Oprea, Z. Li, T.-F. Yen, S. Chin, and S. Alrwais, “Detection of early-stage enterprise infection by mining large-scale log data,” arXiv preprint arXiv:1411.5005, 2014.
[11] “NTP, Network Time Protocol.” http://support.ntp.org/bin/view/Main/ WebHome. Access date: 2015-05-19.
[12] “How to use RSS feeds | Digital Trends.” http://www.digitaltrends.com/ computing/how-to-use-rss/. Access date: 2015-05-19.
[13] L. van Duijn, “Research project-report beacon detection in pcap files,” 2014.
[14] G. Gu, J. Zhang, and W. Lee, “Botsniffer: Detecting botnet command and control channels in network traffic,” 2008.
[15] “The role of dns in botnet command & control,” tech. rep., OpenDNS, http://info.opendns.com/rs/opendns/images/OpenDNS SecurityWhitepaper-DNSRoleInBotnets.pdf, 2012.
[16] A. P. T. S. C. Strike. http://www.advancedpentest.com/. accessed: 10.12.2015.
[17] “Stealthy peer-to-peer c&c over smb pipes.” http://blog.cobaltstrike.com/ 2013/12/06/stealthy-peer-to-peer-cc-over-smb-pipes/, December 2013. accessed: 10.12.2015.
[18] Google, “Dns basics.” https://support.google.com/a/answer/48090?hl= en. accessed: 12.12.2015.
[19] G. Farnham and A. Atlasis, “Sans: Detecting dns tunneling.” https://www.sans.org/reading-room/whitepapers/dns/ detecting-dns-tunneling-34152, February 2013. accessed: 08.12.2015.
[20] C. F. P. Ltd, “Command and control in the fifth domain.” https: //www.commandfive.com/papers/C5 APT C2InTheFifthDomain.pdf, February 2012. accesed: 11.09.2015.
[21] K. Chitharanjan, “Periodicity detection algorithms in time series databases-a survey,” International Journal of Computer Science & Engineering Technology, 2013.
[22] B. Wang, Z. Li, D. Li, F. Liu, and H. Chen, “Modeling connections behavior for web-based bots detection,” in e-Business and Information System Security (EBISS), 2010 2nd International Conference on, pp. 1–4, IEEE, 2010.
[23] Y. Qiao, Y.-x. Yang, J. He, C. Tang, and Y.-z. Zeng, “Detecting p2p bots by mining the regional periodicity,” Journal of Zhejiang University SCIENCE C, vol. 14, no. 9, pp. 682–700, 2013.
[24] H. V. D. Parunak, A. Nickels, and R. Frederiksen, “An agent-based framework for dynamical understanding of dns events,” 2014.
[25] F. Rasheed and R. Alhajj, “Stnr: A suffix tree based noise resilient algorithm for periodicity detection in time series databases,” Applied Intelligence, vol. 32, no. 3, pp. 267–278, 2010.
[26] M. G. Elfeky, W. G. Aref, and A. K. Elmagarmid, “Warp: time warping for periodicity detection,” in Data Mining, Fifth IEEE International Conference on, pp. 8–pp, IEEE, 2005.
[27] M. G. Elfeky, W. G. Aref, and A. K. Elmagarmid, “Periodicity detection in time series databases,” Knowledge and Data Engineering, IEEE Transactions on, vol. 17, no. 7, pp. 875–887, 2005.
[28] C. Berberidis, W. G. Aref, M. Atallah, I. Vlahavas, A. K. Elmagarmid, et al., “Multiple and partial periodicity mining in time series databases,” in ECAI, vol. 2, pp. 370–374, 2002.
[29] Y. Low, J. E. Gonzalez, A. Kyrola, D. Bickson, C. E. Guestrin, and J. Hellerstein, “Graphlab: A new framework for parallel machine learning,” arXiv preprint arXiv:1408.2041, 2014.