Automated classification of C&C connections through malware URL clustering

Nizar Kheir; Gregory Blanc; Hervé Debar; Joaquin Garcia-Alfaro; Dingqi Yang

doi:10.1007/978-3-319-18467-8_17

Automated classification of C&C connections through malware URL clustering

Nizar Kheir
, Gregory Blanc
, Hervé Debar
, Joaquin Garcia-Alfaro
, Dingqi Yang

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

Résumé

We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.

langue originale	Anglais
titre	ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings
rédacteurs en chef	Dieter Gollmann, Hannes Federrath
Editeur	Springer New York LLC
Pages	252-266
Nombre de pages	15
ISBN (imprimé)	9783319184661
Les DOIs	https://doi.org/10.1007/978-3-319-18467-8_17
état	Publié - 1 janv. 2015
Modification externe	Oui
Evénement	30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015 - Hamburg, Allemagne Durée: 26 mai 2015 → 28 mai 2015

Série de publications

Nom	IFIP Advances in Information and Communication Technology
Volume	455
ISSN (imprimé)	1868-4238

Une conférence

Une conférence	30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015
Pays/Territoire	Allemagne
La ville	Hamburg
période	26/05/15 → 28/05/15

Accès au document

10.1007/978-3-319-18467-8_17

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Kheir, N., Blanc, G., Debar, H., Garcia-Alfaro, J., & Yang, D. (2015). Automated classification of C&C connections through malware URL clustering. Dans D. Gollmann, & H. Federrath (eds.), ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings (p. 252-266). (IFIP Advances in Information and Communication Technology; Vol 455). Springer New York LLC. https://doi.org/10.1007/978-3-319-18467-8_17

Kheir, Nizar ; Blanc, Gregory ; Debar, Hervé et al. / Automated classification of C&C connections through malware URL clustering. ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. Editeur / Dieter Gollmann ; Hannes Federrath. Springer New York LLC, 2015. p. 252-266 (IFIP Advances in Information and Communication Technology).

@inproceedings{2ea86f42d43f4dedb525088ed59f9f99,

title = "Automated classification of C\&C connections through malware URL clustering",

abstract = "We present WebVisor, an automated tool to derive patterns from malware Command and Control (C\&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C\&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.",

author = "Nizar Kheir and Gregory Blanc and Herv{\'e} Debar and Joaquin Garcia-Alfaro and Dingqi Yang",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2015.; 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015 ; Conference date: 26-05-2015 Through 28-05-2015",

year = "2015",

month = jan,

day = "1",

doi = "10.1007/978-3-319-18467-8\_17",

language = "English",

isbn = "9783319184661",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "252--266",

editor = "Dieter Gollmann and Hannes Federrath",

booktitle = "ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings",

}

Kheir, N, Blanc, G , Debar, H , Garcia-Alfaro, J & Yang, D 2015, Automated classification of C&C connections through malware URL clustering. Dans D Gollmann & H Federrath (eds), ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. IFIP Advances in Information and Communication Technology, VOL. 455, Springer New York LLC, p. 252-266, 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015, Hamburg, Allemagne, 26/05/15. https://doi.org/10.1007/978-3-319-18467-8_17

Automated classification of C&C connections through malware URL clustering. / Kheir, Nizar; Blanc, Gregory ; Debar, Hervé et al.
ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. Ed. / Dieter Gollmann; Hannes Federrath. Springer New York LLC, 2015. p. 252-266 (IFIP Advances in Information and Communication Technology; Vol 455).

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - Automated classification of C&C connections through malware URL clustering

AU - Kheir, Nizar

AU - Blanc, Gregory

AU - Debar, Hervé

AU - Garcia-Alfaro, Joaquin

AU - Yang, Dingqi

PY - 2015/1/1

Y1 - 2015/1/1

N2 - We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.

AB - We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets.

UR - https://www.scopus.com/pages/publications/84942645359

U2 - 10.1007/978-3-319-18467-8_17

DO - 10.1007/978-3-319-18467-8_17

M3 - Conference contribution

AN - SCOPUS:84942645359

SN - 9783319184661

T3 - IFIP Advances in Information and Communication Technology

SP - 252

EP - 266

BT - ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings

A2 - Gollmann, Dieter

A2 - Federrath, Hannes

PB - Springer New York LLC

T2 - 30th IFIP TC 11 International Information Security and Privacy Conference, SEC 2015

Y2 - 26 May 2015 through 28 May 2015

ER -

Kheir N, Blanc G , Debar H , Garcia-Alfaro J, Yang D. Automated classification of C&C connections through malware URL clustering. Dans Gollmann D, Federrath H, rédacteurs en chef, ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. Springer New York LLC. 2015. p. 252-266. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-319-18467-8_17

Automated classification of C&C connections through malware URL clustering

Résumé

Série de publications

Une conférence

Accès au document

Autres fichiers et liens

Empreinte digitale

Contient cette citation