Malflow: Identification of C&C servers through host-based data flow profiling

Tobias Wüchner, Martín Ochoa, Mojdeh Golagha, Gaurav Srivastava, Thomas Schreck, Alexander Pretschner

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Scopus citations

Abstract

Modern malware interacts with multiple internet domains for various reasons: communication with command and control (C&C) servers, boosting click counts on online ads or performing denial of service attacks, among others. The identification of malign domains is thus necessary to prevent (and react to) incidents. Since malware creators constantly generate new domains to avoid detection, maintaining uptodate lists of malign domains is challenging. We propose an approach that automatically estimates the risk associated with communicating with a domain based on the data flow behavior of a process communicating with it. Our approach uses unsupervised learning on data flow profiles that capture communication of processes with network endpoints at system call level to distinguish between likely malign or benign behavior. Our evaluations on a large and diverse data set indicate a high detection accuracy and a reasonable performance overhead. We further discuss how this concept can be used in an operational setting for fine-grained enforcement of risk-based incident response actions.

Original languageEnglish
Title of host publication2016 Symposium on Applied Computing, SAC 2016
PublisherAssociation for Computing Machinery
Pages2087-2094
Number of pages8
ISBN (Electronic)9781450337397
DOIs
StatePublished - 4 Apr 2016
Event31st Annual ACM Symposium on Applied Computing, SAC 2016 - Pisa, Italy
Duration: 4 Apr 20168 Apr 2016

Publication series

NameProceedings of the ACM Symposium on Applied Computing
Volume04-08-April-2016

Conference

Conference31st Annual ACM Symposium on Applied Computing, SAC 2016
Country/TerritoryItaly
CityPisa
Period4/04/168/04/16

Keywords

  • Command and control server
  • Data flow analysis
  • Malware

Fingerprint

Dive into the research topics of 'Malflow: Identification of C&C servers through host-based data flow profiling'. Together they form a unique fingerprint.

Cite this