Detecting Malware Injection with Program-DNS Behavior

Yixin Sun; Kangkook Jee; Suphannee Sivakorn; Zhichun Li; Cristian Lumezanu; Lauri Korts-Parn; Zhenyu Wu; Junghwan Rhee; Chung Hwan Kim; Mung Chiang; Prateek Mittal

doi:10.1109/EuroSP48549.2020.00042

Detecting Malware Injection with Program-DNS Behavior

Yixin Sun, Kangkook Jee, Suphannee Sivakorn, Zhichun Li, Cristian Lumezanu, Lauri Korts-Parn, Zhenyu Wu, Junghwan Rhee, Chung Hwan Kim, Mung Chiang, Prateek Mittal

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Scopus citations

Abstract

Analyzing the DNS traffic of Internet hosts has been a successful technique to counter cyberattacks and identify connections to malicious domains. However, recent stealthy attacks hide malicious activities within seemingly legitimate connections to popular web services made by benign programs. Traditional DNS monitoring and signature-based detection techniques are ineffective against such attacks. To tackle this challenge, we present a new program-level approach that can effectively detect such stealthy attacks. Our method builds a fine-grained Program-DNS profile for each benign program that characterizes what should be the 'expected' DNS behavior. We find that malware-injected processes have DNS activities which significantly deviate from the Program-DNS profile of the benign program. We then develop six novel features based on the Program-DNS profile, and evaluate the features on a dataset of over 130 million DNS requests collected from a real-world enterprise and 8 million requests from malware-samples executed in a sandbox environment. We compare our detection results with that of previously-proposed features and demonstrate that our new features successfully detect 190 malware-injected processes which fail to be detected by previously-proposed features. Overall, our study demonstrates that fine-grained Program-DNS profiles can provide meaningful and effective features in building detectors for attack campaigns that bypass existing detection systems.

Original language	English (US)
Title of host publication	Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	552-568
Number of pages	17
ISBN (Electronic)	9781728150871
DOIs	https://doi.org/10.1109/EuroSP48549.2020.00042
State	Published - Sep 2020
Event	5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 - Virtual, Genoa, Italy Duration: Sep 7 2020 → Sep 11 2020

Publication series

Name	Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020

Conference

Conference	5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
Country/Territory	Italy
City	Virtual, Genoa
Period	9/7/20 → 9/11/20

All Science Journal Classification (ASJC) codes

Artificial Intelligence
Computer Networks and Communications
Hardware and Architecture
Software
Safety, Risk, Reliability and Quality
Information Systems and Management

Keywords

n/a

Access to Document

10.1109/EuroSP48549.2020.00042

Cite this

Sun, Y., Jee, K., Sivakorn, S., Li, Z., Lumezanu, C., Korts-Parn, L., Wu, Z., Rhee, J., Kim, C. H., Chiang, M., & Mittal, P. (2020). Detecting Malware Injection with Program-DNS Behavior. In Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 (pp. 552-568). Article 9230384 (Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/EuroSP48549.2020.00042

@inproceedings{565233ce5f7648628cf9cd4099f2ca90,

title = "Detecting Malware Injection with Program-DNS Behavior",

abstract = "Analyzing the DNS traffic of Internet hosts has been a successful technique to counter cyberattacks and identify connections to malicious domains. However, recent stealthy attacks hide malicious activities within seemingly legitimate connections to popular web services made by benign programs. Traditional DNS monitoring and signature-based detection techniques are ineffective against such attacks. To tackle this challenge, we present a new program-level approach that can effectively detect such stealthy attacks. Our method builds a fine-grained Program-DNS profile for each benign program that characterizes what should be the 'expected' DNS behavior. We find that malware-injected processes have DNS activities which significantly deviate from the Program-DNS profile of the benign program. We then develop six novel features based on the Program-DNS profile, and evaluate the features on a dataset of over 130 million DNS requests collected from a real-world enterprise and 8 million requests from malware-samples executed in a sandbox environment. We compare our detection results with that of previously-proposed features and demonstrate that our new features successfully detect 190 malware-injected processes which fail to be detected by previously-proposed features. Overall, our study demonstrates that fine-grained Program-DNS profiles can provide meaningful and effective features in building detectors for attack campaigns that bypass existing detection systems.",

keywords = "n/a",

author = "Yixin Sun and Kangkook Jee and Suphannee Sivakorn and Zhichun Li and Cristian Lumezanu and Lauri Korts-Parn and Zhenyu Wu and Junghwan Rhee and Kim, {Chung Hwan} and Mung Chiang and Prateek Mittal",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 ; Conference date: 07-09-2020 Through 11-09-2020",

year = "2020",

month = sep,

doi = "10.1109/EuroSP48549.2020.00042",

language = "English (US)",

series = "Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "552--568",

booktitle = "Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020",

address = "United States",

}

Sun, Y, Jee, K, Sivakorn, S, Li, Z, Lumezanu, C, Korts-Parn, L, Wu, Z, Rhee, J, Kim, CH, Chiang, M & Mittal, P 2020, Detecting Malware Injection with Program-DNS Behavior. in Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020., 9230384, Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020, Institute of Electrical and Electronics Engineers Inc., pp. 552-568, 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020, Virtual, Genoa, Italy, 9/7/20. https://doi.org/10.1109/EuroSP48549.2020.00042

Detecting Malware Injection with Program-DNS Behavior. / Sun, Yixin; Jee, Kangkook; Sivakorn, Suphannee et al.
Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020. Institute of Electrical and Electronics Engineers Inc., 2020. p. 552-568 9230384 (Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Detecting Malware Injection with Program-DNS Behavior

AU - Sun, Yixin

AU - Jee, Kangkook

AU - Sivakorn, Suphannee

AU - Li, Zhichun

AU - Lumezanu, Cristian

AU - Korts-Parn, Lauri

AU - Wu, Zhenyu

AU - Rhee, Junghwan

AU - Kim, Chung Hwan

AU - Chiang, Mung

AU - Mittal, Prateek

PY - 2020/9

Y1 - 2020/9

N2 - Analyzing the DNS traffic of Internet hosts has been a successful technique to counter cyberattacks and identify connections to malicious domains. However, recent stealthy attacks hide malicious activities within seemingly legitimate connections to popular web services made by benign programs. Traditional DNS monitoring and signature-based detection techniques are ineffective against such attacks. To tackle this challenge, we present a new program-level approach that can effectively detect such stealthy attacks. Our method builds a fine-grained Program-DNS profile for each benign program that characterizes what should be the 'expected' DNS behavior. We find that malware-injected processes have DNS activities which significantly deviate from the Program-DNS profile of the benign program. We then develop six novel features based on the Program-DNS profile, and evaluate the features on a dataset of over 130 million DNS requests collected from a real-world enterprise and 8 million requests from malware-samples executed in a sandbox environment. We compare our detection results with that of previously-proposed features and demonstrate that our new features successfully detect 190 malware-injected processes which fail to be detected by previously-proposed features. Overall, our study demonstrates that fine-grained Program-DNS profiles can provide meaningful and effective features in building detectors for attack campaigns that bypass existing detection systems.

AB - Analyzing the DNS traffic of Internet hosts has been a successful technique to counter cyberattacks and identify connections to malicious domains. However, recent stealthy attacks hide malicious activities within seemingly legitimate connections to popular web services made by benign programs. Traditional DNS monitoring and signature-based detection techniques are ineffective against such attacks. To tackle this challenge, we present a new program-level approach that can effectively detect such stealthy attacks. Our method builds a fine-grained Program-DNS profile for each benign program that characterizes what should be the 'expected' DNS behavior. We find that malware-injected processes have DNS activities which significantly deviate from the Program-DNS profile of the benign program. We then develop six novel features based on the Program-DNS profile, and evaluate the features on a dataset of over 130 million DNS requests collected from a real-world enterprise and 8 million requests from malware-samples executed in a sandbox environment. We compare our detection results with that of previously-proposed features and demonstrate that our new features successfully detect 190 malware-injected processes which fail to be detected by previously-proposed features. Overall, our study demonstrates that fine-grained Program-DNS profiles can provide meaningful and effective features in building detectors for attack campaigns that bypass existing detection systems.

KW - n/a

UR - http://www.scopus.com/inward/record.url?scp=85096565006&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85096565006&partnerID=8YFLogxK

U2 - 10.1109/EuroSP48549.2020.00042

DO - 10.1109/EuroSP48549.2020.00042

M3 - Conference contribution

AN - SCOPUS:85096565006

T3 - Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020

SP - 552

EP - 568

BT - Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020

Y2 - 7 September 2020 through 11 September 2020

ER -

Sun Y, Jee K, Sivakorn S, Li Z, Lumezanu C, Korts-Parn L et al. Detecting Malware Injection with Program-DNS Behavior. In Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020. Institute of Electrical and Electronics Engineers Inc. 2020. p. 552-568. 9230384. (Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020). doi: 10.1109/EuroSP48549.2020.00042

Detecting Malware Injection with Program-DNS Behavior

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this