swMATH ID: 23931
Software Authors: Nelms, T., Perdisci, R., Ahamad, M.
Description: ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates. In this paper, we present ExecScent, a novel system that aims to mine new, previously unknown C&C domain names from live enterprise network traffic. ExecScent automatically learns control protocol templates (CPTs) from examples of known C&C communications. These CPTs are then adapted to the “background traffic” of the network where the templates are to be deployed. The goal is to generate hybrid templates that can self-tune to each specific deployment scenario, thus yielding a better trade-off between true and false positives for a given network environment. To the best of our knowledge, ExecScent is the first system to use this type of adaptive C&C traffic models. We implemented a prototype version of ExecScent, and deployed it in three different large networks for a period of two weeks. During the deployment, we discovered many new, previously unknown C&C domains and hundreds of new infected machines, compared to using a large up-to-date commercial C&C domain blacklist. Furthermore, we deployed the new C&C domains mined by ExecScent to six large ISP networks, discovering more than 25,000 new infected machines.
Homepage: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/nelms
Related Software: BotMiner; ElemStatLearn; Keras; TensorFlow; word2vec; Scikit; Panorama; KEA; FIRMA; VAMO; Polygraph; Hamsa; Autograph; BitShred; PhishEye; BotProfiler; BotTokenizer; BotSniffer
Cited in: 3 Publications

Citations by Year