Malware Beaconing Detection by Mining Large-scale DNS Logs for Targeted Attack Identification

One of the leading problems in Cyber Security today
is the emergence of targeted attacks conducted by adversaries with
access to sophisticated tools. These attacks usually steal senior level
employee system privileges, in order to gain unauthorized access to
confidential knowledge and valuable intellectual property. Malware
used for initial compromise of the systems are sophisticated and
may target zero-day vulnerabilities. In this work we utilize common
behaviour of malware called ”beacon”, which implies that infected
hosts communicate to Command and Control servers at regular
intervals that have relatively small time variations. By analysing
such beacon activity through passive network monitoring, it is
possible to detect potential malware infections. So, we focus on
time gaps as indicators of possible C2 activity in targeted enterprise
networks. We represent DNS log files as a graph, whose vertices
are destination domains and edges are timestamps. Then by using
four periodicity detection algorithms for each pair of internal-external
communications, we check timestamp sequences to identify the
beacon activities. Finally, based on the graph structure, we infer the
existence of other infected hosts and malicious domains enrolled in
the attack activities.




References:
[1] “Targeted Attacks - Definition - Trend Micro USA.” http://www.
trendmicro.com/vinfo/us/security/definition/targeted-attacks. Access
date: 2015-02-27.
[2] “New anti-APT tools are no silver bullets: An independent test of APT
attack detection appliances | MRG Effitas Blog.” https://blog.mrg-effitas.
com/. Access date: 2015-05-24.
[3] “Compromise assessment,” tech. rep., Mandiant, https://dl.mandiant.
com/EE/assets/DS CompromiseAssessments 140207.pdf. accessed:
08.12.2015.
[4] “APT INFECTION DISCOVERY USING DNS
DATA (info:lanl-repo/lareport/LA-UR-13-23109).” http://permalink.
lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-13-23109,
2013. Access date: 2015-05-24.
[5] N. Villeneuve and J. Bennett, “Detecting apt activity with network traffic
analysis,” Trend Micro Incorporated, 2012.
[6] “contagio: Mandiant APT1 samples categorized by
malware families.” http://contagiodump.blogspot.no/2013/03/
mandiant-apt1-samples-categorized-by.html. Access date: 2015-05-24.
[7] “Command and Control in Fifth DomianCOMMAND FIVE PTY LTD
- Engineering Innovation | Research.” https://www.commandfive.com/
research.html, 2011. Access date: 2015-05-19.
[8] Y. Low, J. Gonzalez, A. Kyrola, D. Bickson, C. Guestrin, and J. M.
Hellerstein, “Graphlab: A new framework for parallel machine learning,”
CoRR, vol. abs/1006.4990, 2010.
[9] X. Huang, “Understanding beacon for identifying targeted attack by
mining large-scale log data,” Master’s thesis, Gjøvik University College,
2015.
[10] A. Oprea, Z. Li, T.-F. Yen, S. Chin, and S. Alrwais, “Detection of
early-stage enterprise infection by mining large-scale log data,” arXiv
preprint arXiv:1411.5005, 2014.
[11] “NTP, Network Time Protocol.” http://support.ntp.org/bin/view/Main/
WebHome. Access date: 2015-05-19.
[12] “How to use RSS feeds | Digital Trends.” http://www.digitaltrends.com/
computing/how-to-use-rss/. Access date: 2015-05-19.
[13] L. van Duijn, “Research project-report beacon detection in pcap files,”
2014.
[14] G. Gu, J. Zhang, and W. Lee, “Botsniffer: Detecting botnet command
and control channels in network traffic,” 2008.
[15] “The role of dns in botnet command & control,” tech. rep.,
OpenDNS, http://info.opendns.com/rs/opendns/images/OpenDNS
SecurityWhitepaper-DNSRoleInBotnets.pdf, 2012.
[16] A. P. T. S. C. Strike. http://www.advancedpentest.com/. accessed:
10.12.2015.
[17] “Stealthy peer-to-peer c&c over smb pipes.” http://blog.cobaltstrike.com/
2013/12/06/stealthy-peer-to-peer-cc-over-smb-pipes/, December 2013.
accessed: 10.12.2015.
[18] Google, “Dns basics.” https://support.google.com/a/answer/48090?hl=
en. accessed: 12.12.2015.
[19] G. Farnham and A. Atlasis, “Sans: Detecting dns
tunneling.” https://www.sans.org/reading-room/whitepapers/dns/
detecting-dns-tunneling-34152, February 2013. accessed: 08.12.2015.
[20] C. F. P. Ltd, “Command and control in the fifth domain.” https:
//www.commandfive.com/papers/C5 APT C2InTheFifthDomain.pdf,
February 2012. accesed: 11.09.2015.
[21] K. Chitharanjan, “Periodicity detection algorithms in time series
databases-a survey,” International Journal of Computer Science &
Engineering Technology, 2013.
[22] B. Wang, Z. Li, D. Li, F. Liu, and H. Chen, “Modeling connections
behavior for web-based bots detection,” in e-Business and Information
System Security (EBISS), 2010 2nd International Conference on, pp. 1–4,
IEEE, 2010.
[23] Y. Qiao, Y.-x. Yang, J. He, C. Tang, and Y.-z. Zeng, “Detecting p2p
bots by mining the regional periodicity,” Journal of Zhejiang University
SCIENCE C, vol. 14, no. 9, pp. 682–700, 2013.
[24] H. V. D. Parunak, A. Nickels, and R. Frederiksen, “An agent-based
framework for dynamical understanding of dns events,” 2014.
[25] F. Rasheed and R. Alhajj, “Stnr: A suffix tree based noise resilient
algorithm for periodicity detection in time series databases,” Applied
Intelligence, vol. 32, no. 3, pp. 267–278, 2010.
[26] M. G. Elfeky, W. G. Aref, and A. K. Elmagarmid, “Warp: time warping
for periodicity detection,” in Data Mining, Fifth IEEE International
Conference on, pp. 8–pp, IEEE, 2005.
[27] M. G. Elfeky, W. G. Aref, and A. K. Elmagarmid, “Periodicity detection
in time series databases,” Knowledge and Data Engineering, IEEE
Transactions on, vol. 17, no. 7, pp. 875–887, 2005.
[28] C. Berberidis, W. G. Aref, M. Atallah, I. Vlahavas, A. K. Elmagarmid,
et al., “Multiple and partial periodicity mining in time series databases,”
in ECAI, vol. 2, pp. 370–374, 2002.
[29] Y. Low, J. E. Gonzalez, A. Kyrola, D. Bickson, C. E. Guestrin,
and J. Hellerstein, “Graphlab: A new framework for parallel machine
learning,” arXiv preprint arXiv:1408.2041, 2014.