Automated classification of C&C connections through malware URL clustering - ICT Systems Security and Privacy Protection
Conference Papers Year : 2015

Automated classification of C&C connections through malware URL clustering

Abstract

We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets

Keywords

Fichier principal
Vignette du fichier
337885_1_En_17_Chapter.pdf (308.72 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01255089 , version 1 (13-07-2016)

Identifiers

Cite

Nizar Kheir, Gregory Blanc, Hervé Debar, Joaquin Garcia-Alfaro, Dingqi Yang. Automated classification of C&C connections through malware URL clustering. 2015 SEC : 30th IFIP International Conference on ICT Systems Security and Privacy Protection, May 2015, Hamburg, Germany. pp.252 - 266, ⟨10.1007/978-3-319-18467-8_17⟩. ⟨hal-01255089⟩
195 View
328 Download

Altmetric

Share

More