Detailed Information

Cited 0 time in webofscience Cited 0 time in scopus
Metadata Downloads

GMAD: Graph-based Malware Activity Detection by DNS traffic analysis

Authors
Lee, JehyunLee, Heejo
Issue Date
1-8월-2014
Publisher
ELSEVIER SCIENCE BV
Keywords
Malware domain name; DNS; Botnet; Sequential correlation; Graph clustering
Citation
COMPUTER COMMUNICATIONS, v.49, pp.33 - 47
Indexed
SCIE
SCOPUS
Journal Title
COMPUTER COMMUNICATIONS
Volume
49
Start Page
33
End Page
47
URI
https://scholar.korea.ac.kr/handle/2021.sw.korea/97732
DOI
10.1016/j.comcom.2014.04.013
ISSN
0140-3664
Abstract
Malicious activities on the Internet are one of the most dangerous threats to Internet users and organizations. Malicious software controlled remotely is addressed as one of the most critical methods for executing the malicious activities. Since blocking domain names for command and control (C&C) of the malwares by analyzing their Domain Name System (DNS) activities has been the most effective and practical countermeasure, attackers attempt to hide their malwares by adopting several evasion techniques, such as client sub-grouping and domain flux on DNS activities. A common feature of the recently developed evasion techniques is the utilization of multiple domain names for render malware DNS activities temporally and spatially more complex. In contrast to analyzing the DNS activities for a single domain name, detecting the malicious DNS activities for multiple domain names is not a simple task. The DNS activities of malware that uses multiple domain names, termed multi-domain malware, are sparser and less synchronized with respect to space and time. In this paper, we introduce a malware activity detection mechanism, GMAD: Graph-based Malware Activity Detection that utilizes a sequence of DNS queries in order to achieve robustness against evasion techniques. GMAD uses a graph termed Domain Name Travel Graph which expresses DNS query sequences to detect infected clients and malicious domain names. In addition to detecting malware C&C domain names, GMAD detects malicious DNS activities such as blacklist checking and fake DNS querying. To detect malicious domain names utilized to malware activities, GMAD applies domain name clustering using the graph structure and determines malicious clusters by referring to public blacklists. Through experiments with four sets of DNS traffic captured in two ISP networks in the U.S. and South Korea, we show that GMAD detected thousands of malicious domain names that had neither been blacklisted nor detected through group activity of DNS clients. In a detection accuracy evaluation, GMAD showed an accuracy rate higher than 99% on average, with a higher than 90% precision and lower than 0.5% false positive rate. It is shown that the proposed method is effective for detecting multi-domain malware activities irrespective of evasion techniques. (C) 2014 Elsevier B.V. All rights reserved.
Files in This Item
There are no files associated with this item.
Appears in
Collections
Graduate School > Department of Computer Science and Engineering > 1. Journal Articles

qrcode

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.

Related Researcher

Researcher Lee, Hee jo photo

Lee, Hee jo
컴퓨터학과
Read more

Altmetrics

Total Views & Downloads

BROWSE