Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis

Zhao, Gang; Xu, Ke; Xu, Lei; Wu, Bangyu

doi:10.1109/access.2015.2458581

Cited by 146 publications

(75 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We know that botmasters use various Internet protocols to conceal their malicious activities and avoid detection. In the past few years, some protocols have been heavily abused, and in recent years, DNS has become the main target of such malicious cyberattacks [7], such as Advanced Persistent Threat (APT) [8]. Malicious domains are basic tools in the hands of cybercriminals.…”

Section: Introductionmentioning

confidence: 99%

Botnet Detection Technology Based on DNS

Wang

Zhang

2017

Future Internet

View full text Add to dashboard Cite

With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet's survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.

show abstract

Section: Introductionmentioning

confidence: 99%

Botnet Detection Technology Based on DNS

Wang

Zhang

2017

Future Internet

View full text Add to dashboard Cite

show abstract

“…Zhao et al [16] developed a new system to detect APT (Advanced Persistent Threat) malware which relied on DNS to locate command and control servers. In this system, a classifier of Malicious DNS Detector was trained by a series of feature related DNS, which employed J48 decision tree algorithm and obtained the true positive rate of 96.3% and the false positive rate of 1.7%.…”

Section: Decision Treementioning

confidence: 99%

“…Many studies focused on internal code features of the malware such as byte n-grams [5,6], OpCode [10][11][12] and PE (Portable Executable) features [13,14]. In addition, a few researchers utilized external behavior features on the system such as creating file, hiding service, opening port [15], and some works also devoted to employ external behavior features in the network such as DNS (Domain Name System) answer and TTL (Time To Live) value [16].…”

Section: The Framework For Analyzing Malware By MLmentioning

confidence: 99%

Machine Learning for Analyzing Malware

Liu

Zeng

Yan

et al. 2017

JCSM

View full text Add to dashboard Cite

The Internet has become an indispensable part of people's work and life, but it also provides favorable communication conditions for malwares. Therefore, malwares are endless and spread faster and become one of the main threats of current network security. Based on the malware analysis process, from the original feature extraction and feature selection to malware analysis, this paper introduces the machine learning algorithms such as classification, clustering and association analysis, and how to use these machine learning algorithms to effectively analyze the malware and its variants.

show abstract

“…Many researches have made contribution to malicious domain detection [2,3,4]. Unlike the improved blacklist techniques behind their DNS traffic analysis, in this paper, we propose a new malicious domain detection technique based on traffic similarity.…”

Section: Introductionmentioning

confidence: 99%

Malicious Domain Detection Based on Traffic Similarity

Hu¹,

Wang²,

Shi³

et al. 2017

dtcse

View full text Add to dashboard Cite

Domain name system is an important resource in the Internet. Malicious domain detection techniques are used to find the malicious domains which are designed for malicious behaviors. The paper analyzes the existing malicious domain detection techniques and then proposes a new malicious domain detection technique based on traffic similarity. In this paper, we analyze the public botnet traffic dataset and get the DNS traffic pattern. We apply this pattern to spam as well. In this paper, we use normalized Fréchet distance to evaluate two traffic curves' similarity. Our experiments over simulation botnet and spam network show that the proposed technique can achieve high true positive rates (94.3% in average) as we change the botnet connection frequency, DGA types and spam sent rules. The proposed technique provides a new idea for malicious domain detection.

show abstract

Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis

Cited by 146 publications

References 10 publications

Botnet Detection Technology Based on DNS

Botnet Detection Technology Based on DNS

Machine Learning for Analyzing Malware

Malicious Domain Detection Based on Traffic Similarity

Contact Info

Product

Resources

About