Skip to main content
Article
Metadata-driven Threat Classification of Network Endpoints Appearing in Malware
DIMVA '14: Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, LNCS 8850 (Sven Dietrich, ed.), pp. 152-171. Egham, UK (2014)
  • Andrew G. West
  • Aziz Mohaisen
Abstract

Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.

Leveraging 28,000 expert-labeled endpoints derived from ~100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints' static metadata properties and not network payloads or routing dynamics. Performance validates this straightforward approach, achieving 99.4% accuracy at binary threat classification and 93% accuracy on the more granular task of severity prediction. This performance is driven by features capturing a domain's behavioral history and registration properties. More qualitatively we discover the prominent role that dynamic DNS providers and "shared-use" public services play as perpetrators seek agile and cost-effective hosting infrastructure.

Keywords
  • malware,
  • malcode,
  • vulnerability,
  • threat indicators,
  • sandboxing,
  • URL,
  • domain,
  • registrar,
  • dynamic DNS
Publication Date
July, 2014
Citation Information
Metadata-driven Threat Classification of Network Endpoints Appearing in Malware. Andrew G. West and Aziz Mohaisen. In DIMVA '14: Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, LNCS 8550 (Sven Deitrich ed.), pp. 152-171. Egham, UK. July 2014.