Detecting Malware Injection with Program-DNS Behavior

Yixin Sun, Kangkook Jee, Suphannee Sivakorn, Zhichun Li, Cristian Lumezanu, Lauri Korts-Parn, Zhenyu Wu, Junghwan Rhee, Chung Hwan Kim, Mung Chiang, Prateek Mittal

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Scopus citations


Analyzing the DNS traffic of Internet hosts has been a successful technique to counter cyberattacks and identify connections to malicious domains. However, recent stealthy attacks hide malicious activities within seemingly legitimate connections to popular web services made by benign programs. Traditional DNS monitoring and signature-based detection techniques are ineffective against such attacks. To tackle this challenge, we present a new program-level approach that can effectively detect such stealthy attacks. Our method builds a fine-grained Program-DNS profile for each benign program that characterizes what should be the 'expected' DNS behavior. We find that malware-injected processes have DNS activities which significantly deviate from the Program-DNS profile of the benign program. We then develop six novel features based on the Program-DNS profile, and evaluate the features on a dataset of over 130 million DNS requests collected from a real-world enterprise and 8 million requests from malware-samples executed in a sandbox environment. We compare our detection results with that of previously-proposed features and demonstrate that our new features successfully detect 190 malware-injected processes which fail to be detected by previously-proposed features. Overall, our study demonstrates that fine-grained Program-DNS profiles can provide meaningful and effective features in building detectors for attack campaigns that bypass existing detection systems.

Original languageEnglish (US)
Title of host publicationProceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages17
ISBN (Electronic)9781728150871
StatePublished - Sep 2020
Event5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 - Virtual, Genoa, Italy
Duration: Sep 7 2020Sep 11 2020

Publication series

NameProceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020


Conference5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
CityVirtual, Genoa

All Science Journal Classification (ASJC) codes

  • Artificial Intelligence
  • Computer Networks and Communications
  • Hardware and Architecture
  • Software
  • Safety, Risk, Reliability and Quality
  • Information Systems and Management


  • n/a


Dive into the research topics of 'Detecting Malware Injection with Program-DNS Behavior'. Together they form a unique fingerprint.

Cite this