Hunting for invisibility: Characterizing and detecting malicious web infrastructures through server visibility analysis

Jialong Zhang, Xin Hu, Jiyong Jang, Ting Wang, Guofei Gu, Marc Stoecklin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

Nowadays, cyber criminals often build web infrastructures rather than a single server to conduct their malicious activities. In order to continue their malevolent activities without being detected, cyber criminals make efforts to conceal the core servers (e.g., C&C servers, exploit servers, and drop-zone servers) in the malicious web infrastructure. Such deliberate invisibility of those concealed malicious servers, however, makes them particularly distinguishable from benign web servers that are usually promoted to be public. In this paper, we conduct the first large-scale measurement study to investigate the visibility of both malicious and benign servers. From our intensive analysis of over 100,000 benign servers, 45,000 malicious servers and 40,000 redirections, we identify a set of distinct features of malicious web infrastructures from their locations, structures, roles, and relationships perspectives, and propose a lightweight yet effective detection system called VisHunter. VisHunter identifies malicious redirections from visible servers to invisible servers at the entryway of malicious web infrastructures. We evaluate VisHunter on both online public data and large-scale enterprise network traffic, and demonstrate that VisHunter can achieve an average 96.2% detection rate with only 0.9% false positive rate on the real enterprise network traffic.

Original languageEnglish (US)
Title of host publicationIEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781467399531
DOIs
StatePublished - Jul 27 2016
Event35th Annual IEEE International Conference on Computer Communications, IEEE INFOCOM 2016 - San Francisco, United States
Duration: Apr 10 2016Apr 14 2016

Publication series

NameProceedings - IEEE INFOCOM
Volume2016-July
ISSN (Print)0743-166X

Other

Other35th Annual IEEE International Conference on Computer Communications, IEEE INFOCOM 2016
Country/TerritoryUnited States
CitySan Francisco
Period4/10/164/14/16

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Hunting for invisibility: Characterizing and detecting malicious web infrastructures through server visibility analysis'. Together they form a unique fingerprint.

Cite this