Research Article
Identifying APT Malware Domain Based on
Mobile DNS Logging
Weina Niu,
1,2
Xiaosong Zhang,
1,2
GuoWu Yang,
2
Jianan Zhu,
3
and Zhongwei Ren
1
1
School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu,
Sichuan 611731, China
2
Center for Cyber Security, University of Electronic Science and Technology of China, Chengdu, Sichuan 611731, China
3
School of Information and Soware Engineering, University of Electronic Science and Technology of China, Chengdu,
Sichuan 610054, China
Correspondence should be addressed to Xiaosong Zhang; johnsonzxs@uestc.edu.cn
Received 25 January 2017; Accepted 7 March 2017; Published 6 April 2017
A
c
ademic Editor: Lixiang Li
Copyright © Weina Niu et al. is is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Advanced Persistent reat (APT) is a serious threat against sensitive information. Current detection approaches are time-
consuming since they detect APT attack by in-depth analysis of massive amounts of data aer data breaches. Specically, APT
attackers make use of DNS to locate their command and control (C&C) servers and victims’ machines. In this paper, we propose
an ecient approach to detect APT malware C&C domain with high accuracy by analyzing DNS logs. We rst extract features
from DNS logs of mobile devices. According to Alexa ranking and the VirusTotal’s judgement result, we give each domain a score.
en, we select the most normal domains by the score metric. Finally, we utilize our anomaly detection algorithm, called Global
Abnormal Forest (GAF), to identify malware C&C domains. We conduct a performance analysis to demonstrate that our approach
is more ecient than other existing works in terms of calculation eciency and recognition accuracy. Compared with Local Outlier
Factor (LOF), 𝑘-Nearest Neighbor (KNN), and Isolation Forest (iForest), our approach obtains more than % 𝐹-𝑀and 𝑅for the
detection of C&C domains. Our approach not only can reduce data volume that needs to be recorded and analyzed but also can be
applicable to unsupervised learning.
1. Introduction
Advanced Persistent reat (APT) [, ] is an attack that is
launched by the well-funded and skilled organization to steal
high-value information for a long time. APT attackers would
install malware on the compromised machine to build com-
mand and control (C&C) channel aer inltrating into the
targeted network. Most malware makes use of Domain Name
System (DNS) to locate their domain name servers and com-
promised devices. en, APT attackers can establish long-
term connection to victims’ devices for stealing sensitive data.
us, malware C&C domain detection can help security
analysts to block essential stage of APT.
Currently, there are some works to identify C&C domain
by analyzing network trac about PC [–]. BotSnier [],
BotGAD [], and BotMiner [] made use of specic behavior
anomaly (e.g., daily similarity and short life) to detect C&C
involved in a botnet. e main reason is that bot hosts
have group similarity. Other works [–] also distinguish
between malicious domains and normal domains according
to domain-based features, such as domain name string com-
position, registration time, and active time. However, these
detection approaches cannot be applied to APT malware
since APT attackers infect a small number of machines, and
they behave normally to avoid detection. Machine learning
technology is proved to be eective in identifying malware
[]. However, there are few articially marked data of APT
malware. Moreover, normal and abnormal samples overlap
with each other.
In order to address these challenges, we propose an
approach to identifying APT malware domains based on
DNS logs. We conduct experiments to evaluate our proposed
algorithm, called Global Abnormal Forest (GAF), with three
traditional algorithms, namely, Local Outlier Factor (LOF),
Hindawi
Mathematical Problems in Engineering
Volume 2017, Article ID 4916953, 9 pages
https://doi.org/10.1155/2017/4916953