Abstract
With the rise of network attack, advanced persistent threats (APT) imposes severe challenges to network security. Since APT attacker can easily hide inevitable C&C traffic in massive Web traffic, HTTP-based C&C communication has become the most preferred method, providing us with new ideas for detecting. Moreover, under the assumption that attackers have limited attack resources, the domains used in the same attack will show relevance. Although there has been a lot of works focused on APT detection, it is still a difficult task to detect the abnormal DNS activity from massive Web traffic. In this paper, we propose a new framework based belief propagation to identify suspicious domains and compromised hosts in APT. We extract the domains features and calculate the score of being malicious from the DNS logs with minimal ground truth. We implement and validate our framework on anonymous DNS logs released by LANL. The experiment shows that our approach identifies previously unknown malicious domains and achieves high detection rates.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bejtlich, R.: Air force cyberspace report (2007). http://taosecurity.blogspot.com/2007/10/air-force-cyberspace-report.html
Bohara, A., Noureddine, M.A., Fawaz, A., Sanders, W.H.: An unsupervised multi-detector approach for identifying malicious lateral movement. In: IEEE Symposium on Reliable Distributed Systems (2017)
Mavroeidis, V., Bromander, S.: Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In: European Intelligence and Security Informatics Conference (EISIC), pp. 91–98 (2017)
Sakib, M.N., Huang,C.T.: Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic. In: IEEE International Conference on Communications, pp. 1–6 (2016)
Villeneuve, N., Bennett, J.: Detecting apt activity with network traffic analysis. Trend Micro Incorporated (2012)
Yan, G., Li, Q., Guo, D., Li, B.: AULD: Large scale suspicious DNS activities detection via unsupervised learning in advanced persistent threats. Sensors 19, 3180 (2019)
Wang, X., Zheng, K.F., Niu, X.X., Wu, B., Wu, C.H.: Detection of command and control in advanced persistent threat based on independent access. In: IEEE International Conference on Communications (ICC) (2016)
Nadler, A., Aminov, A., Shabtai, A.: Detection of malicious and low throughput data exfiltration over the DNS protocol. Comput. Secur. 80, 36–53 (2019)
Kheir, N., Tran, F., Caron, P., Deschamps, N.: Mentor: positive DNS reputation to skim-off benign domains in botnet C&C blacklists. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 1–14. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_1
Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 1–18. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_1
Zou, F., Zhang, S., Rao, W., Yi, P.: Detecting malware based on DNS graph mining. Int. J. Distrib. Sens. Netw. 11, 102687 (2015)
Oprea, A., Li, Z., Yen, T.-F., Chin.S. H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In IEEE/IFIP International Conference on Dependable Systems and Networks (2015)
Ma, Z., Li, Q., Meng, X.: Discovering suspicious APT families through a large-scale domain graph in information-centric IoT. IEEE Access 7, 13917–13926 (2019)
Khalil, I., Yu, T., Guan, B.: Discovering malicious domains through passive DNS data graph analysis. In: ACM on Asia Conference on Computer & Communications Security. ACM (2016)
Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)
Ghafir, I., Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K.: Detection of advanced persistent threat using machine-learning correlation analysis. Future Generation Comput. Syst. 89, 349–359 (2018)
Lee, J., Lee, H.: GMAD: graph-based malware activity detection by DNS traffic analysis. Comput. Commun. 49, 33–47 (2014)
Stevanovic, M., Pedersen, J.M., D’Alconzo, A., Ruehrup, S.: A method for identifying compromised clients based on DNS traffic analysis. Int. J. Inf. Secur. 16(2), 115–132 (2016). https://doi.org/10.1007/s10207-016-0331-3
Ferrell, P.S.: Apt infection discovery using DNS data. Los Alamos National Laboratory (LANL), Technical report (2013)
Acknowledgement
This work is supported by the National Key Research and Development Program of China under Grant 2016QY06X1205.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Huang, L., Xue, J., Han, W., Kong, Z., Niu, Z. (2020). Detection of Malicious Domains in APT via Mining Massive DNS Logs. In: Chen, X., Yan, H., Yan, Q., Zhang, X. (eds) Machine Learning for Cyber Security. ML4CS 2020. Lecture Notes in Computer Science(), vol 12486. Springer, Cham. https://doi.org/10.1007/978-3-030-62223-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-62223-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62222-0
Online ISBN: 978-3-030-62223-7
eBook Packages: Computer ScienceComputer Science (R0)