Identifying APT Malware Domain Based on Mobile DNS Logging-Reference-Cited by-同舟云学术

Identifying APT Malware Domain Based on Mobile DNS Logging

Published:2017 Issue: Volume:2017 Page:1-9
ISSN:1024-123X
Container-title:Mathematical Problems in Engineering
language:en
Short-container-title:Mathematical Problems in Engineering

Author:

Niu Weina¹²,Zhang Xiaosong¹²^ORCID,Yang GuoWu²,Zhu Jianan³,Ren Zhongwei¹

Affiliation:

1. School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, Sichuan 611731, China

2. Center for Cyber Security, University of Electronic Science and Technology of China, Chengdu, Sichuan 611731, China

3. School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu, Sichuan 610054, China

Abstract

Advanced Persistent Threat (APT) is a serious threat against sensitive information. Current detection approaches are time-consuming since they detect APT attack by in-depth analysis of massive amounts of data after data breaches. Specifically, APT attackers make use of DNS to locate their command and control (C&C) servers and victims’ machines. In this paper, we propose an efficient approach to detect APT malware C&C domain with high accuracy by analyzing DNS logs. We first extract 15 features from DNS logs of mobile devices. According to Alexa ranking and the VirusTotal’s judgement result, we give each domain a score. Then, we select the most normal domains by the score metric. Finally, we utilize our anomaly detection algorithm, called Global Abnormal Forest (GAF), to identify malware C&C domains. We conduct a performance analysis to demonstrate that our approach is more efficient than other existing works in terms of calculation efficiency and recognition accuracy. Compared with Local Outlier Factor (LOF), k-Nearest Neighbor (KNN), and Isolation Forest (iForest), our approach obtains more than 99% F-M and R for the detection of C&C domains. Our approach not only can reduce data volume that needs to be recorded and analyzed but also can be applicable to unsupervised learning.

Funder

National Natural Science Foundation of China

Publisher

Hindawi Limited

Subject

General Engineering,General Mathematics

Link

http://downloads.hindawi.com/journals/mpe/2017/4916953.pdf

Reference23 articles.

1. A Study on Advanced Persistent Threats

2. On the Security of Machine Learning in Malware C&C Detection

Cited by 32 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. APT Attack and Detection Technology;2024 IEEE 6th Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC);2024-05-24

2. C2-DNSWatch: Endpoint Framework for Detecting Command and Control (C2) Connection of Advanced Persistent Threats (APTs);2024 13th International Conference on Communications, Circuits and Systems (ICCCAS);2024-05-10

3. C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks;International Journal of Information Security;2024-04-29

4. DEML: Data-Enhanced Meta-Learning Method for IoT APT Traffic Detection;Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering;2024

5. A Systematic Literature Review and a Conceptual Framework Proposition for Advanced Persistent Threats (APT) Detection for Mobile Devices Using Artificial Intelligence Techniques;Applied Sciences;2023-07-10