Skip to Main content Skip to Navigation
Conference papers

Automated classification of C&C connections through malware URL clustering

Abstract : We present WebVisor, an automated tool to derive patterns from malware Command and Control (C&C) server connections. From collective network communications stored on a large-scale malware dataset, WebVisor establishes the underlying patterns among samples of the same malware families (e.g., families in terms of development tools). WebVisor focuses on C&C channels based on the Hypertext Transfer Protocol (HTTP). First, it builds clusters based on the statistical features of the HTTP-based Uniform Resource Locators (URLs) stored in the malware dataset. Then, it conducts a fine-grained, noise-agnostic clustering process, based on the structure and semantic features of the URLs. We present experimental results using a software prototype of WebVisor and real-world malware datasets
Keywords : Sécurité donnée
Document type :
Conference papers
Complete list of metadata

Cited literature [24 references]  Display  Hide  Download
Contributor : Médiathèque Télécom Sudparis & Institut Mines-Télécom Business School Connect in order to contact the contributor
Submitted on : Wednesday, July 13, 2016 - 2:56:42 PM
Last modification on : Friday, January 29, 2021 - 4:40:14 PM


Files produced by the author(s)



Nizar Kheir, Gregory Blanc, Hervé Debar, Joaquin Garcia-Alfaro, Dingqi Yang. Automated classification of C&C connections through malware URL clustering. 2015 SEC : 30th IFIP International Conference on ICT Systems Security and Privacy Protection, May 2015, Hamburg, Germany. pp.252 - 266, ⟨10.1007/978-3-319-18467-8_17⟩. ⟨hal-01255089⟩



Record views


Files downloads