Title :
Crossing the threshold: Detecting network malfeasance via sequential hypothesis testing
Author :
Krishnan, Sridhar ; Taylor, Thomas ; Monrose, F. ; McHugh, Justin
Author_Institution :
Dept. of Comput. Sci., Univ. of North Carolina at Chapel Hill, Chapel Hill, NC, USA
Abstract :
The domain name system plays a vital role in the dependability and security of modern network. Unfortunately, it has also been widely misused for nefarious activities. Recently, attackers have turned their attention to the use of algorithmically generated domain names (AGDs) in an effort to circumvent network defenses. However, because such domain names are increasingly being used in benign applications, this transition has significant implications for techniques that classify AGDs based solely on the format of a domain name. To highlight the challenges they face, we examine contemporary approaches and demonstrate their limitations. We address these shortcomings by proposing an online form of sequential hypothesis testing that classifies clients based solely on the non-existent (NX) responses they elicit. Our evaluations on real-world data show that we outperform existing approaches, and for the vast majority of cases, we detect malware before they are able to successfully rendezvous with their command and control centers.
Keywords :
Internet; computer network security; invasive software; pattern classification; AGD classification; algorithmically generated domain names; client classification; command and control centers; domain name system; malware detection; network dependability; network malfeasance detection; network security; nonexistent responses; real-world data; sequential hypothesis testing; Engines; Program processors;
Conference_Titel :
Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on
Conference_Location :
Budapest
Print_ISBN :
978-1-4673-6471-3
DOI :
10.1109/DSN.2013.6575364
