deMSF: a Method for Detecting Malicious Server Flocks for Same Campaign

Li, Yixin and Wang, Liming and Yang, Jing and Xu, Zhen and Luo, Xi (2020) deMSF: a Method for Detecting Malicious Server Flocks for Same Campaign. EAI Endorsed Transactions on Security and Safety, 7 (26). e1. ISSN 2032-9393

[thumbnail of eai.21-6-2021.170236.pdf]
Available under License Creative Commons Attribution No Derivatives.

Download (1MB) | Preview


Nowadays, cybercriminals tend to leverage dynamic malicious infrastructures with multiple servers to conduct attacks, such as malware distribution and control. Compared with a single server, employing multiple servers allows crimes to be more efficient and stealthy. As the necessary role infrastructures play, many approaches have been proposed to detect malicious servers. However, many existing methods typically target only on the individual server and therefore fail to reveal inter-server connections of an attack campaign.In this paper, we propose a complementary system, deMSF, to identify server flocks, which are formed by infrastructures involved in the same malicious campaign. Our solution first acquires server flocks by mining relations of servers from both spatial and temporal dimensions. Further we extract the semantic vectors of servers based on word2vec and build a textCNN-based flocks classifier to recognize malicious flocks. We evaluate deMSF with real-world traffic collected from an ISP network. The result shows that it has a high precision of 99% with 90% recall.

Item Type: Article
Uncontrolled Keywords: Malicious web infrastructure, Server flock, Word embedding, textCNN
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
QA75 Electronic computers. Computer science
T Technology > T Technology (General)
Depositing User: EAI Editor IV
Date Deposited: 09 Jul 2021 08:32
Last Modified: 09 Jul 2021 08:32

Actions (login required)

View Item
View Item