Paint It Black: Evaluating the Effectiveness of Malware Blacklists

@inproceedings{Khrer2014PaintIB,
  title={Paint It Black: Evaluating the Effectiveness of Malware Blacklists},
  author={Marc K{\"u}hrer and Christian Rossow and Thorsten Holz},
  booktitle={International Symposium on Recent Advances in Intrusion Detection},
  year={2014}
}
Blacklists are commonly used to protect computer systems against the tremendous number of malware threats. These lists include abusive hosts such as malware sites or botnet Command & Control and dropzone servers to raise alerts if suspicious hosts are contacted. Up to now, though, little is known about the effectiveness of malware blacklists. 

Cybersecurity and Secure Information Systems

This chapter delivers a comprehensive overview of the security and privacy threats, vulnerabilities, and challenges of a smart city project; and suggests solutions in order to facilitate smart city development and governance.

A Framework For Malware Detection Using Blacklist-Based Method

This study aims to address the issue of malware detection by proposing a framework for the malware detection using a cloud blacklist-based approach and has the total ability to detect malware with precision of (75%), recall of (0.31), and f-measure of 0.441.

A Lustrum of Malware Network Communication: Evolution and Insights

It is seen that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered and network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.

MalFlow: identification of C&C servers through host-based data flow profiling

This work proposes an approach that automatically estimates the risk associated with communicating with a domain based on the data flow behavior of a process communicating with it, and discusses how this concept can be used in an operational setting for fine-grained enforcement of risk-based incident response actions.

Understanding the Characteristics of Public Blocklist Providers

A measurement study to analyze public blocklist providers (PBP) in terms of lifespan, update frequency, entry bias, and user interface metrics is described.

The Black Mark beside My Name Server: Exploring the Importance of Name Server IP Addresses in Malware DNS Graphs

This short exploratory empirical paper examines a question of how important the Internet protocol (IP) addresses of name servers are in linking together Internet domains that have distributed malware

Supporting Law-Enforcement to Cope with Blacklisted Websites: Framework and Case Study

This work proposes a novel framework based on Machine Learning (ML) while providing the law-enforcement with probabilistic classification and interpretability of the predictions made by the interpretable model and shows that the framework is practical and has further potential to tackle website maliciousness.

Malicious Domain Detection based on Heterogeneous Information Network and Fusion Features

  • Hui ZhangJianlong TanBingxu Wang
  • Computer Science
    2022 IEEE International Conference on Advances in Electrical Engineering and Computer Applications (AEECA)
  • 2022
A new method based on heterogeneous information network and fusion features, named MDND-HMF model, which can comprehensively extract multiple features such as domain relationship, text and statistical features from DNS resolution traffic is proposed in this paper.

Towards Accurate DGA Detection based on Siamese Network with Insufficient Training Samples

Experimental studies suggest that DGAD-SN can efficiently extract distinguishable neural feature vectors for domain names and outperforms state-of-the-art DGA detectors in identifying small-scale DGA families or emerging DGA variants.
...

References

SHOWING 1-10 OF 40 REFERENCES

Sandnet: network traffic analysis of malicious software

This work provides a comprehensive overview of typical malware network behavior by discussing the results that were obtained during the analysis of more than 100,000 malware samples and develops a new analysis environment called Sandnet that complements existing systems by focusing on network traffic analysis.

SinkMiner: Mining Botnet Sinkholes for Fun and Profit

SinkMiner is presented, a novel forensics system that enables the discovery of previously unknown sinkhole IPs and the related sinkholed domains by efficiently mining large passive DNS databases.

Paint it Black: Evaluating the Effectiveness of Malware Blacklists

  • Technical Report HGI-2014-002, University of Bochum - Horst Görtz Institute for IT Security
  • 2014

Detecting Gray in Black and White

There is no automated mechanism to perform a reasonable classiciation without manual expert knowledge of all involved mail senders, so either spammers or legitimate mailers are classified.

P 2 PWNED : Modeling and Evaluating the Resilience of Peer-to-Peer Botnets

A formal graph model is introduced to capture the intrinsic properties and fundamental vulnerabilities of P2P botnets and can be used to assist security researchers in evaluating mitigation strategies against current and future P2p botnets.

Passive and Active Measurement

A technique for computer detection and correction of spelling errors

The method described assumes that a word which cannot be found in a dictionary has at most one error, which might be a wrong, missing or extra letter or a single transposition. The unidentified input

Large-Scale Analysis of Malware Downloaders

This paper analyze and characterize 23 Windows-based malware downloaders, and shows a high diversity in downloaders' communication architectures, carrier protocols and encryption schemes, and presents two generic techniques enabling defenders to actively acquire malware samples.

ProVeX: Detecting Botnets with Encrypted Command and Control Channels

The proposed ProVex is a system that automatically derives probabilistic vectorized signatures for fields in the C&C protocol by evaluating byte probabilities in C &C input traces used for training, and can detect all studied malware families, most of which are not detectable with traditional means.

XXXtortion?: inferring registration intent in the .XXX TLD

This paper measures the validity of concerns that the xxx TLD would primarily generate value through defensive and speculative registrations, without actually serving a real need, using data gathered from ICANN, whois, and Web requests to characterize each xxx domain and infer the registrant's most likely intent.