Current large scale and commodity threats consistently showcase distinct regional characteristics. For example, watering hole attacks may target a particular group of industries, organizations, regions or a combination. While exploit kit, malspam and phishing attacks either focus on a specific geography or are globally distributed. In fact, requester geodiversity has been used to detect spurious botnets [1] like Dirtjumper and Pandora [2] but a more generic technique is desired to capture a wider range of threats, possibly non-spurious threats like phishing or malvertising.
In this lab session we do just that. Specifically, for a given domain, we develop a novel tensor containing time dependent country requester metrics and train a convolutional neural network to tease out the hierarchical relationships between countries and threats. We highlight the performance of this deep neural network architecture in a wide range of classification tasks by labeling threats from botnets, phishing, and malvertising domains.
In one experiment, classifying botnet from phishing domains, this model is able to improve accuracy by 10% when compared to simpler models. We motivate this model by detailing the challenges of using simpler models, like linear models and random forest classifiers, with restricted views of the requester geolocation popularity. While at the same time, we use those models to profile requester countries, and reveal how it is possible to differentiate phishing and botnet requests based on regional country codes. In other words, we reveal a novel and scalable method for capturing global requester trends and applying a supervised learning approach to detect some of the most pernicious online threats.
[1] Casado, M., Garfinkel, T., Cui, W., Paxson, V., Savage, S.: Opportunistic measurement: Extracting insight from spurious traffic. In: Proc. 4th ACM Workshop on Hot Topics in Networks (Hotnets-IV) (2005)
[2] An Wang, Aziz Mohaisen, Wentao Chang, and Songqing Chen. 2015. Capturing DDoS Attack Dynamics Behind the Scenes. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment – Volume 9148 (DIMVA 2015), Magnus Almgren, Vincenzo Gulisano, and Federico Maggi (Eds.), Vol. 9148. Springer-Verlag New York, Inc., New York, NY, USA, 205-215.
David Rodriguez
Jingchuan Chen
Dhia Mahjoub
