Joint Detection of Malicious Domains and Infected Clients

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F19%3A00339850" target="_blank" >RIV/68407700:21230/19:00339850 - isvavai.cz</a>

Výsledek na webu

<a href="https://doi.org/10.1007/s10994-019-05789-z" target="_blank" >https://doi.org/10.1007/s10994-019-05789-z</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1007/s10994-019-05789-z" target="_blank" >10.1007/s10994-019-05789-z</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Joint Detection of Malicious Domains and Infected Clients

Popis výsledku v původním jazyce

Detection of malware-infected computers and detection of malicious web domains based on their encrypted HTTPS traffic are challenging problems, because only addresses, timestamps, and data volumes are observable. The detection problems are coupled, because infected clients tend to interact with malicious domains. Traffic data can be collected at a large scale, and antivirus tools can be used to identify infected clients in retrospect. Domains, by contrast, have to be labeled individually after forensic analysis. We explore transfer learning based on sluice networks; this allows the detection models to bootstrap each other. In a large-scale experimental study, we find that the model outperforms known reference models and detects previously unknown malware, previously unknown malware families, and previously unknown malicious domains.

Název v anglickém jazyce

Joint Detection of Malicious Domains and Infected Clients

Popis výsledku anglicky

Detection of malware-infected computers and detection of malicious web domains based on their encrypted HTTPS traffic are challenging problems, because only addresses, timestamps, and data volumes are observable. The detection problems are coupled, because infected clients tend to interact with malicious domains. Traffic data can be collected at a large scale, and antivirus tools can be used to identify infected clients in retrospect. Domains, by contrast, have to be labeled individually after forensic analysis. We explore transfer learning based on sluice networks; this allows the detection models to bootstrap each other. In a large-scale experimental study, we find that the model outperforms known reference models and detects previously unknown malware, previously unknown malware families, and previously unknown malicious domains.

Druh

J_imp - Článek v periodiku v databázi Web of Science

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/GA18-21409S" target="_blank" >GA18-21409S: Hierarchické modely pro detekci a popis anomalií</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2019

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název periodika

Machine Learning

ISSN

0885-6125

e-ISSN

1573-0565

Svazek periodika

108

Číslo periodika v rámci svazku

8-9

Stát vydavatele periodika

NL - Nizozemsko

Počet stran výsledku

16

Strana od-do

1353-1368

Kód UT WoS článku

000478619200008

EID výsledku v databázi Scopus

2-s2.0-85062148327