TY - GEN
T1 - Detection of Malicious Domains in APT via Mining Massive DNS Logs
AU - Huang, Lu
AU - Xue, Jingfeng
AU - Han, Weijie
AU - Kong, Zixiao
AU - Niu, Zequn
N1 - Publisher Copyright:
© 2020, Springer Nature Switzerland AG.
PY - 2020
Y1 - 2020
N2 - With the rise of network attack, advanced persistent threats (APT) imposes severe challenges to network security. Since APT attacker can easily hide inevitable C&C traffic in massive Web traffic, HTTP-based C&C communication has become the most preferred method, providing us with new ideas for detecting. Moreover, under the assumption that attackers have limited attack resources, the domains used in the same attack will show relevance. Although there has been a lot of works focused on APT detection, it is still a difficult task to detect the abnormal DNS activity from massive Web traffic. In this paper, we propose a new framework based belief propagation to identify suspicious domains and compromised hosts in APT. We extract the domains features and calculate the score of being malicious from the DNS logs with minimal ground truth. We implement and validate our framework on anonymous DNS logs released by LANL. The experiment shows that our approach identifies previously unknown malicious domains and achieves high detection rates.
AB - With the rise of network attack, advanced persistent threats (APT) imposes severe challenges to network security. Since APT attacker can easily hide inevitable C&C traffic in massive Web traffic, HTTP-based C&C communication has become the most preferred method, providing us with new ideas for detecting. Moreover, under the assumption that attackers have limited attack resources, the domains used in the same attack will show relevance. Although there has been a lot of works focused on APT detection, it is still a difficult task to detect the abnormal DNS activity from massive Web traffic. In this paper, we propose a new framework based belief propagation to identify suspicious domains and compromised hosts in APT. We extract the domains features and calculate the score of being malicious from the DNS logs with minimal ground truth. We implement and validate our framework on anonymous DNS logs released by LANL. The experiment shows that our approach identifies previously unknown malicious domains and achieves high detection rates.
KW - APT
KW - C&C detection
KW - DNS
KW - Malicious domain detection
UR - http://www.scopus.com/inward/record.url?scp=85097198650&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-62223-7_12
DO - 10.1007/978-3-030-62223-7_12
M3 - Conference contribution
AN - SCOPUS:85097198650
SN - 9783030622220
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 140
EP - 152
BT - Machine Learning for Cyber Security - Third International Conference, ML4CS 2020, Proceedings
A2 - Chen, Xiaofeng
A2 - Yan, Hongyang
A2 - Yan, Qiben
A2 - Zhang, Xiangliang
PB - Springer Science and Business Media Deutschland GmbH
T2 - 3rd International Conference on Machine Learning for Cyber Security, ML4CS 2020
Y2 - 8 October 2020 through 10 October 2020
ER -