Automated classification of C&C connections through malware URL clustering

Nizar Kheir; Gregory Blanc; Hervé Debar; Joaquin Garcia-Alfaro; Dingqi Yang

doi:10.1007/978-3-319-18467-8_17

Automated classification of C&C connections through malware URL clustering

Nizar Kheir
, Gregory Blanc
, Hervé Debar
, Joaquin Garcia-Alfaro
, Dingqi Yang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.

Original language	English
Title of host publication	ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings
Editors	Dieter Gollmann, Hannes Federrath
Publisher	Springer New York LLC
Pages	252-266
Number of pages	15
ISBN (Print)	9783319184661
DOIs	https://doi.org/10.1007/978-3-319-18467-8_17
Publication status	Published - 1 Jan 2015
Externally published	Yes
Event	30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015 - Hamburg, Germany Duration: 26 May 2015 → 28 May 2015

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	455
ISSN (Print)	1868-4238

Conference

Conference	30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015
Country/Territory	Germany
City	Hamburg
Period	26/05/15 → 28/05/15

Access to Document

10.1007/978-3-319-18467-8_17

Cite this

Kheir, N., Blanc, G., Debar, H., Garcia-Alfaro, J., & Yang, D. (2015). Automated classification of C&C connections through malware URL clustering. In D. Gollmann, & H. Federrath (Eds.), ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings (pp. 252-266). (IFIP Advances in Information and Communication Technology; Vol. 455). Springer New York LLC. https://doi.org/10.1007/978-3-319-18467-8_17

Kheir, Nizar ; Blanc, Gregory ; Debar, Hervé et al. / Automated classification of C&C connections through malware URL clustering. ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. editor / Dieter Gollmann ; Hannes Federrath. Springer New York LLC, 2015. pp. 252-266 (IFIP Advances in Information and Communication Technology).

@inproceedings{2ea86f42d43f4dedb525088ed59f9f99,

title = "Automated classification of C\&C connections through malware URL clustering",

abstract = "We present WebVisor, an automated tool to derive patterns from malware Command and Control (C\&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C\&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.",

author = "Nizar Kheir and Gregory Blanc and Herv{\'e} Debar and Joaquin Garcia-Alfaro and Dingqi Yang",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2015.; 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015 ; Conference date: 26-05-2015 Through 28-05-2015",

year = "2015",

month = jan,

day = "1",

doi = "10.1007/978-3-319-18467-8\_17",

language = "English",

isbn = "9783319184661",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "252--266",

editor = "Dieter Gollmann and Hannes Federrath",

booktitle = "ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings",

}

Kheir, N, Blanc, G , Debar, H , Garcia-Alfaro, J & Yang, D 2015, Automated classification of C&C connections through malware URL clustering. in D Gollmann & H Federrath (eds), ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. IFIP Advances in Information and Communication Technology, vol. 455, Springer New York LLC, pp. 252-266, 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015, Hamburg, Germany, 26/05/15. https://doi.org/10.1007/978-3-319-18467-8_17

Automated classification of C&C connections through malware URL clustering. / Kheir, Nizar; Blanc, Gregory ; Debar, Hervé et al.
ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. ed. / Dieter Gollmann; Hannes Federrath. Springer New York LLC, 2015. p. 252-266 (IFIP Advances in Information and Communication Technology; Vol. 455).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automated classification of C&C connections through malware URL clustering

AU - Kheir, Nizar

AU - Blanc, Gregory

AU - Debar, Hervé

AU - Garcia-Alfaro, Joaquin

AU - Yang, Dingqi

N1 - Publisher Copyright: © IFIP International Federation for Information Processing 2015.

PY - 2015/1/1

Y1 - 2015/1/1

N2 - We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.

AB - We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.

UR - https://www.scopus.com/pages/publications/84942645359

U2 - 10.1007/978-3-319-18467-8_17

DO - 10.1007/978-3-319-18467-8_17

M3 - Conference contribution

AN - SCOPUS:84942645359

SN - 9783319184661

T3 - IFIP Advances in Information and Communication Technology

SP - 252

EP - 266

BT - ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings

A2 - Gollmann, Dieter

A2 - Federrath, Hannes

PB - Springer New York LLC

T2 - 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015

Y2 - 26 May 2015 through 28 May 2015

ER -

Kheir N, Blanc G , Debar H , Garcia-Alfaro J, Yang D. Automated classification of C&C connections through malware URL clustering. In Gollmann D, Federrath H, editors, ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. Springer New York LLC. 2015. p. 252-266. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-319-18467-8_17

Automated classification of C&C connections through malware URL clustering

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this