Skip to Main content Skip to Navigation
Conference papers

Automated classification of C&C connections through malware URL clustering

Abstract : We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets
Keywords : Sécurité donnée
Document type :
Conference papers
Complete list of metadatas

Cited literature [24 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-01255089
Contributor : Médiathèque Télécom Sudparis & Institut Mines-Télécom Business School <>
Submitted on : Wednesday, July 13, 2016 - 2:56:42 PM
Last modification on : Monday, August 24, 2020 - 4:16:13 PM

File

337885_1_En_17_Chapter.pdf
Files produced by the author(s)

Identifiers

Citation

Nizar Kheir, Gregory Blanc, Hervé Debar, Joaquin Garcia-Alfaro, Dingqi Yang. Automated classification of C&C connections through malware URL clustering. 2015 SEC : 30th IFIP International Conference on ICT Systems Security and Privacy Protection, May 2015, Hamburg, Germany. pp.252 - 266, ⟨10.1007/978-3-319-18467-8_17⟩. ⟨hal-01255089⟩

Share

Metrics

Record views

342

Files downloads

520