deMSF: a Method for Detecting Malicious Server Flocks for Same Campaign

Yixin Li, Liming Wang, Jing Yang, Zhen Xu, Xi Luo
2020 EAI Endorsed Transactions on Security and Safety  
Nowadays, cybercriminals tend to leverage dynamic malicious infrastructures with multiple servers to conduct attacks, such as malware distribution and control. Compared with a single server, employing multiple servers allows crimes to be more efficient and stealthy. As the necessary role infrastructures play, many approaches have been proposed to detect malicious servers. However, many existing methods typically target only on the individual server and therefore fail to reveal inter-server
more » ... ctions of an attack campaign. In this paper, we propose a complementary system, deMSF, to identify server flocks, which are formed by infrastructures involved in the same malicious campaign. Our solution first acquires server flocks by mining relations of servers from both spatial and temporal dimensions. Further we extract the semantic vectors of servers based on word2vec and build a textCNN-based flocks classifier to recognize malicious flocks. We evaluate deMSF with real-world traffic collected from an ISP network. The result shows that it has a high precision of 99% with 90% recall.
doi:10.4108/eai.21-6-2021.170236 fatcat:dm5zlb3ycva3ldrxtactgrbvhm