TY - GEN
T1 - Hunting for invisibility
T2 - 35th Annual IEEE International Conference on Computer Communications, IEEE INFOCOM 2016
AU - Zhang, Jialong
AU - Hu, Xin
AU - Jang, Jiyong
AU - Wang, Ting
AU - Gu, Guofei
AU - Stoecklin, Marc
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/7/27
Y1 - 2016/7/27
N2 - Nowadays, cyber criminals often build web infrastructures rather than a single server to conduct their malicious activities. In order to continue their malevolent activities without being detected, cyber criminals make efforts to conceal the core servers (e.g., C&C servers, exploit servers, and drop-zone servers) in the malicious web infrastructure. Such deliberate invisibility of those concealed malicious servers, however, makes them particularly distinguishable from benign web servers that are usually promoted to be public. In this paper, we conduct the first large-scale measurement study to investigate the visibility of both malicious and benign servers. From our intensive analysis of over 100,000 benign servers, 45,000 malicious servers and 40,000 redirections, we identify a set of distinct features of malicious web infrastructures from their locations, structures, roles, and relationships perspectives, and propose a lightweight yet effective detection system called VisHunter. VisHunter identifies malicious redirections from visible servers to invisible servers at the entryway of malicious web infrastructures. We evaluate VisHunter on both online public data and large-scale enterprise network traffic, and demonstrate that VisHunter can achieve an average 96.2% detection rate with only 0.9% false positive rate on the real enterprise network traffic.
AB - Nowadays, cyber criminals often build web infrastructures rather than a single server to conduct their malicious activities. In order to continue their malevolent activities without being detected, cyber criminals make efforts to conceal the core servers (e.g., C&C servers, exploit servers, and drop-zone servers) in the malicious web infrastructure. Such deliberate invisibility of those concealed malicious servers, however, makes them particularly distinguishable from benign web servers that are usually promoted to be public. In this paper, we conduct the first large-scale measurement study to investigate the visibility of both malicious and benign servers. From our intensive analysis of over 100,000 benign servers, 45,000 malicious servers and 40,000 redirections, we identify a set of distinct features of malicious web infrastructures from their locations, structures, roles, and relationships perspectives, and propose a lightweight yet effective detection system called VisHunter. VisHunter identifies malicious redirections from visible servers to invisible servers at the entryway of malicious web infrastructures. We evaluate VisHunter on both online public data and large-scale enterprise network traffic, and demonstrate that VisHunter can achieve an average 96.2% detection rate with only 0.9% false positive rate on the real enterprise network traffic.
UR - http://www.scopus.com/inward/record.url?scp=84983266549&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84983266549&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2016.7524582
DO - 10.1109/INFOCOM.2016.7524582
M3 - Conference contribution
AN - SCOPUS:84983266549
T3 - Proceedings - IEEE INFOCOM
BT - IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 10 April 2016 through 14 April 2016
ER -