Network Connectivity Graph for Malicious Traffic Dissection Enrico Bocchi? , Luigi Grimaudo? , Marco Mellia? , Elena Baralis? , Sabyasachi Saha† , Stanislav Miskovic† , Gaspar Modelo-Howard† , Sung-Ju Lee ? Politecnico

di Torino {name.surname}@polito.it

† Symantec,

Corp. {name surname}@symantec.com

Abstract—Malware is a major threat to security and privacy of network users. A huge variety of malware typically spreads over the Internet, evolving every day, and challenging the research community and security practitioners to improve the effectiveness of countermeasures. In this paper, we present a system that automatically extracts patterns of network activity related to a specific malicious event, i.e., a seed. Our system is based on a methodology that correlates network events of hosts normally connected to the Internet over (i) time (i.e., analyzing different samples of traffic from the same host), (ii) space (i.e., correlating patterns across different hosts), and (iii) network layers (e.g., HTTP, DNS, etc.). The result is a Network Connectivity Graph that captures the overall “network behavior” of the seed. That is a focused and enriched representation of the malicious pattern infected hosts exhibit, purified from ordinary network activities and background traffic. We applied our approach on a large dataset collected in a real commercial ISP where the aggregated traffic produced by more than 20,000 households has been monitored. A commercial IDS has been used to complement network data with alerts related to malicious activities. We use such alerts to trigger our processing system. Results shows that the richness of the Network Connectivity Graph provides a much more detailed picture of malicious activities, considerably enhancing our understanding.

I.

I NTRODUCTION

Information security over the Internet remains a primary concern for consumers, enterprises, and governments alike. Malware infiltrates and spreads over the Internet hiding its traffic among humongous benign traffic. Cyber-attackers also use sophisticated schemes to modify malware and evade detection by security measures. Recent industry reports disclose that existing antivirus software’s detection rate of newly crafted viruses is less than 5% [1]. This creates a de facto arm’s race between security researchers and cyber-attackers. Practitioners in the field take different approaches to detect malware, which result in a set of methodologies ranging from instruction set and code analysis, to traffic characterization of infected hosts. For instance, a detection rule can be designed by studying the behavior of infected hosts in a controlled environment (e.g., a honeypot). In this scenario, it is possible to identify the communication channel with the Command and Control (C&C) network, or define signatures for proprietary and obfuscated protocols used by malicious software.

 KAIST

[email protected]

However, it is generally more complicated to obtain a complete picture of the overall malware behavior due to the evolution of malware itself to circumvent counteractions, and the lack of tools that easily extract facts related to malicious activities. Thus, to obtain a thorough and up to date picture, security specialists are called to a manual and cumbersome analysis of data produced by infected hosts in the wild. In this paper, we present a methodology to automatically extract detailed network patterns generated by infected hosts. We consider the vantage point offered by a network where the traffic aggregate of thousands of possibly infected hosts flows. A passive monitoring tool extracts and logs events from the traffic. An event could be a HTTP request, a DNS response, or simply a TCP flow going to a host using an unknown protocol. A security monitor, e.g., an Intrusion Detection System (IDS), analyzes the traffic in parallel, and flags some of the events as malicious, according to a database of already available rules. These flagged events are the seeds that trigger our analysis. Given the traffic log and a seed, our system provides a set of “forensic” information to the security analyst for a better understanding of the context in which malicious events take place. Ultimately, it extracts a detailed and complete picture of the malicious activities correlated with the seed event. Identifying the subset of events that belongs to the same activity is a challenging task as each host generates thousands of events caused by multiple applications running concurrently. For instance, the same host could visit a legitimate web page, poll the mail server, and upload files on a cloud storage service, while a malware is connecting to a C&C node that instructs victims with new malicious instructions. Furthermore, the sequence at which events appear is typically not deterministic with randomness due to diversity (e.g., two hosts visiting the same page can fetch objects in a different order), and system memory (e.g., a DNS request not appearing in the traffic as the server name has been previously resolved and cached). Our approach is based on a filtering and enrichment process that leverages (i) temporal and (ii) spatial repetitiveness of events generated by different hosts. The intuition is to look for common patterns that are present in different snapshots from the same host, and among different hosts. We explicitly go after repetitive and popular events. In practice, as few as three observations of a malicious seed are enough to trigger our methodology. The result is offered as a Network Connectivity

HTTP event

malicious activity

binary download obfuscated JS

successful domC DNS req.

failed DNS req.

host tra normal activity

Fig. 1.

DNS event Tra

generic TCP/UDP event

c to domC (C&C) failed DNS req.

Tra

c to domC (C&C) failed DNS req.

se time

c click on acme.org email check

Observation Snapshots Common Patterns Extraction Mining

normal browsing activity

normal browsing activity

ed

se

ed

Host traffic

time

snapshot

Host Connectivity Graph (Host-CG) Creation

Oth-UDP Oth-TCP DNS HTTP

snapshot

email check

Example of events generated by a host as seen from the network.

Graph (CG), which models only events highly correlated with the seed, and allows us to easily navigate and extract valuable information using our domain knowledge. We start from real traffic collected in an operative network where more than 20,000 households are monitored. In a day, more than 336 M events are logged by the passive monitoring tool. A commercial IDS rises alarms for 1,700 unique malicious seeds, generating 42,000 events and belonging to more than 150 different threats. Out of those events, about 40,000 (95%) are processed by our system as they show the required properties of repetitiveness. For each seed, we run the filtering and enrichment process. At the end, the information offered in the final CG grows by a factor of 40, i.e., starting from a single seed, which is represented by three nodes in the CG, 160 nodes are present on average in the final CG. Visual inspection allows us to immediately spot (i) the malicious infrastructure (e.g., the presence of new C&C nodes), (ii) malicious attacks interfering with legitimate infrastructures (e.g., the exploitation of benign websites to force the download of Exploit Kits), and (iii) some evasion techniques adversaries uses (e.g., the usage of DNS fast-fluxing [2]). The contributions of our work are as follows: • We propose a methodology that extracts and represents the network activity surrounding a malicious seed, which is useful to identify and derive a detailed superset of events correlated to it. • We take a multi-layer approach that combines the connectivity between different protocol layers to uncover hidden behavior and provide forensic information. • We offer the information in the form a Network Connectivity Graph, that is a straightforward means to represent the common activity of malicious incidents. We believe that applications of the CG go beyond the simple visualization of the malicious activity. For instance, signatures of the IDS can be updated and enriched, or the CG can be used as a signature itself to design novel behavioral classifiers able to distinguish between CGs derived from malicious or benign seeds. We leave these contributions as future work. II. M ETHODOLOGY OVERVIEW Before presenting the details of our system, we provide an overview and the intuitions behind its design. A. Scenario We consider a scenario in which a sniffer passively monitors the traffic generated by a large group of hosts, e.g., hosts in

Fig. 2.

Host Connectivity Graph generation.

an enterprise network, or households connected to a Point of Presence (POP) of an Internet Service Provider (ISP). The sniffer extracts information from the packets and logs them in a file where each row corresponds to a different event. We assume that, for each TCP and UDP connection, the sniffer logs the flow identifier, the timestamp of the first packet, the flow duration, the number of exchanged packets and bytes, etc. For some protocols, the sniffer can provide multiple events with very detailed information. For instance, it could annotate each HTTP request/response with the requested URL, useragent, content-type, server response status code, etc. Consider the timeline generated by a host reported in Fig. 1. It details the logged events generated by Internet applications. DNS and HTTP events are reported using specific markers, while other protocols are reported as generic TCP/UDP events. The user is visiting some web page (e.g., acme.org) while an email client is polling a mail server for new messages. Normal events are reported in the bottom part of the timeline. Unfortunately, acme.org is hosting a Drive-by Download page. Events on the upper part are due to the malicious activity in which the host is unknowingly fooled to download a malware from a malicious JavaScript contained in the web page. We observe the download of the JavaScript object, followed by the download of the malware. Once running at the host, the malware periodically contacts (via HTTP) a C&C server whose hostname is quickly rotated using fast-flux [2]. The periodic polling is visible in the log as a sequence of (failed and successful) DNS requests, and HTTP traffic to the C&C node. Based on the view of the traffic from all monitored hosts, we design a methodology that extracts and characterizes common network activities. The challenge is how to isolate the events that are possibly correlated with a specific malicious activity from the “background” noise caused by other events. B. Network Connectivity Graph Consider a seed and the timeline around it. Intuitively, closein-time events are likely to be related to it. For instance, in Fig. 1, the DNS request followed by several HTTP requests to the acme.org server could be identified as a typical pattern. However, Drive-by Download attacks [3] can mimic or be hidden in the same behavior. To isolate them, we study snapshots of traffic that contain the specific seeds. Fig. 2 shows the workflow used to transform the events of a given host into a Host Connectivity Graph (Host-CG). Three steps are executed: (i) Snapshots extraction; (ii) Perlayer common patterns mining; and (iii) Host-CG creation.

Algorithm 1 Create Network Connectivity Graph. input args

output

s: seed H: set of hosts ∆: snapshot duration Seed Connectivity Graph

1: procedure graphLayer (s, S, layer): 2: P = findCommonPattern (s, S, layer) 3: return fromPatternsToGraph (P, layer)

i th snapshot

i th snapshot

i+1st snapshot

i+1st snapshot > T/2

merged snapshot

11: procedure seedConnectivityGraph (s, H, ∆): 12: Gs = ∅ 13: foreach h ∈ H: 14: Gs ← hostConnectivityGraph (s, h, ∆) 15: return fuseGraphs (Gs )

Snapshots Extraction. For each instance of the seed, we extract a snapshot defined as the ordered set of events occurring in the temporal window centered at the seed. Two snapshots are presented in Fig. 2 as example. Common Patterns Mining. We then look for commonalities across snapshots. In particular, we look for patterns, defined as the unordered set of events, that appear across multiple snapshots. Intuitively, the periodic HTTP requests toward the C&C server would possibly be a repeating pattern on the HTTP-layer. On the contrary, the web browsing events asynchronously generated by the host would be present only in a small subset of snapshots. We extract separate common patterns by processing the host traffic considering layers in isolation. The traffic generated on each layer corresponds to all events of a specific protocol so that HTTP, DNS, other-TCP (i.e., all TCP communication except HTTP on port 80), and other-UDP (i.e., all UDP communication except UDP on port 53) events are separately analyzed. This choice originates from the fact that each protocol has some peculiarities that we would leverage. For instance, in the HTTP layer, we are looking for common and repetitive patterns. On the DNS layer instead, a single failed DNS request may be more interesting than successful DNS requests. Host Connectivity Graph. For each layer, we represent the common pattern as a graph where nodes and edges are specifically defined to offer a compact yet rich representation. Consider the HTTP-layer. URLs can be represented by separating server hostnames and object paths using two nodes: An edge between the hostname and the path would thus represent a URL. The resulting graph captures the website structure. For example, acme.org/index.html and acme.org/logo.png are represented with a hostname node (acme.org) and two objects nodes. Similarly, in the DNS layer, the request for acme.org is linked to the IP address(es) returned by the resolver.

i th snapshot i+1st snapshot

Fig. 3. 4: procedure hostConnectivityGraph (s, h, ∆): 5: S = getSnapshots (s, h, ∆) 6: gHT T P = graphLayer (s, S, ’HTTP’) 7: gDN S = graphLayer (s, S, ’DNS’) 8: gT CP = graphLayer (s, S, ’TCP’) 9: gU DP = graphLayer (s, S, ’UDP’) 10: return connectLayers (gHT T P , gDN S , gT CP , gU DP )

< T/2

Snapshots creation when consecutive snapshots overlap.

As last step, we connect each per-layer graph into a final Host Connectivity Graph. This is done by adding links across multiple layers. For instance, the acme.org hostname in the HTTP layer is linked to the same node in the DNS layer graph. The resulting graph is a rich and compact representation of the common network activity related to a specific seed and a given host. Each layer brings a specific characterization of the activity given by a protocol, resulting in an overall integration of common patterns. In the previous example, the HTTP layer highlights the common websites hosting the binary download, while the DNS layer reveals failing requests triggered before or after C&C communications. Focusing only on each activity individually would miss such relationship. Seed Connectivity Graph. We leverage the fact that the same seed may be present in the timeline of different hosts, offering some “spatial” diversity. To have a broader view of the common activity related to a specific seed, we “fuse” multiple Host-CGs into a single Seed Connectivity Graph (Seed-CG). As for the common pattern, we have the freedom to choose between a selective fusion, e.g., retaining only those common nodes from all Host-CGs, or a permissive fusion, e.g., merging all nodes from all Host-CGs. III. B UILDING THE C ONNECTIVITY G RAPH The key aspect of the proposed methodology is the approach used to create Network Connectivity Graphs. The pseudo-code in Alg. 1 details this procedure. This section discusses the design choice taken and the parameters to be controlled when creating a network connectivity graph. A. Snapshots Extraction The first step to process host traffic is the extraction of the observation snapshots. We define parameter ∆ that controls the duration of the snapshots. In particular, a snapshot is composed by all events occurring in the interval ±∆/2 centered around the seed. In case consecutive snapshots overlap, we apply two strategies depicted in Fig. 3 to solve the conflict. If the overlapping window lasts for more than ∆/2, the two snapshots are merged. Otherwise, the overlap is split into two halves, each associated to a different snapshot. These operations are executed by getSnapshots() (Alg. 1 line:5) that receives the seed (s), a host (h) presenting at least one instance of the seed, and the snapshot duration (∆) as inputs. It returns the set of snapshots (S) found. Different values of ∆ can lead to different results: the larger the ∆ (e.g., hours), the more the snapshots will merge. This

object-path

results in less snapshots on which to perform pattern mining, with each presenting “noisy” data since not many events are filtered. Conversely, a small value of ∆ (e.g., seconds) might be too conservative. In the following, we set ∆ = 30 minutes. A complete sensitivity analysis is reported in Sec. V-B.

hostname

host IP

HTTP

host IP

B. Common Patterns Mining We use the frequent itemset mining technique to extract common patterns [4]. This technique works on unordered sets of simple objects (e.g., strings). Snapshots, however, correspond to ordered sequences of events that may appear multiple times. We thus map each event to an item based on the event properties. Specifically: • a HTTP item is represented by the HTTP URLs, e.g., http:// domain.com/ path/ file.ext. • a DNS item combines the requested hostname with either the list of returned IP addresses, or the query response code, e.g., DoesNotExists.com–NXDomain. • TCP and UDP items are represented by the server IP address and the port contacted, e.g., 10.20.30.40–443. For each snapshot, we create a transaction containing the set of distinct items. We look for common itemsets, i.e., sets of items common across multiple transactions. A support value is computed for each itemset and indicates the fraction of transactions containing the specific itemset. An itemset is “frequent” if its support is greater than or equal to MinSupport. For a given support value, the itemset presenting the highest number of items is said to be closed. The closed attribute implies that no other itemset made by more items has the same support. Itemsets with a number of items smaller than MinLength could be discarded. By setting MinLength=1, frequent itemsets are equivalent to simple frequent items in terms of Connectivity Graph elements. For MinLength=2, at least pairs of items are considered. For instance, consider acme.org/index.html and acme.org/logo.png that appear in 70% and 45% of snapshots, respectively. The itemset (acme.org/index.html, acme.org/logo. png) may appear from 15% to 45% of snapshots. Looking for all itemsets is a NP-hard problem [5], but wellknown algorithms compute frequent closed itemsets efficiently. Among those, we rely on the Carpenter algorithm [6], which is specifically designed for datasets made of few transactions (i.e., snapshots) that have a huge number of items (i.e., events). Our system looks for frequent closed itemsets that, for simplicity, we call patterns. Patterns are extracted by findCommonPatterns() (Alg. 1 line:2), that receives the seed (s), the set of snapshots (S) and the layer (layer) to process. It returns the pattern (P). The pattern extraction process is guided by the definition of the value of MinSupport, i.e., events that do not appear with frequency of at least MinSupport are discarded. We set MinSupport = 1/2, i.e., for each host, we discard all events not appearing in at least half of the snapshots. Sensitivity analysis is detailed in Sec. V-B. C. Host Connectivity Graph As previously discussed, we individually process each layer to create separate graphs. The graphLayer() (Alg. 1 line:1)

DNS

dst-port Oth-TCP &

host IP

Fig. 4.

Oth-UDP

Graph layers nodes and multi-layer connections.

extracts patterns for a specific layer and maps them into a graph. This mapping exploits a subset of the events properties: • The HTTP layer has two node types: hostnames and object paths. An edge connects the hostname and the object path to compose a URL. • The DNS layer has three node types: server hostnames, server IP addresses, and DNS error codes. An edge connects the hostname to either the IP addresses returned by a DNS response, or to an error code. • The TCP and UDP layers have two node types: server IP addresses and server ports. An edge connects the two to represent a TCP or UDP connection. Different graph layers are combined in a single Host-CG using hostConnectivityGraph() (Alg. 1 line:4). The function starts by extracting the snapshots (S) related to the seed. The snapshots are then processed to extract the graph layers (gHT T P , gDN S , gT CP , gU DP ) through calls to graphLayer(). The separate layers are finally integrated to form the Host-CG using the collectLayers() function, which looks for common nodes across the layers and links them as represented in Fig. 4. Notice that each graph layer contains the host (h) IP address by construction. D. Seed Connectivity Graph To provide the global view of the common behavior seen by observing multiple hosts, we combine all Host-CGs. This operation is performed by the seedConnectivityGraph() (Alg. 1 line:11) function. For each host (h) among the subset presenting the seed (H), the function creates the Host-CG calling hostConnectivityGraph(). All the output graph are collected into the set Ghosts . The graphs are finally merged using fuseGraphs(). This operation can consider different strategies. For instance, applying a strict intersection would retain only nodes appearing in all Host-CGs. In the worst case, this results in a Seed-CG containing only the original seed. More complex strategies can instead compute nodes and links popularity among hosts, and discard those below the threshold MinPopularity. In the following, we consider the strict intersection across Host-CGs as the default choice, i.e., MinPopularity=1.

DATASET SUMMARY.

Class HTTP DNS Other TCP Other UDP

Hosts (%) 16,217 (79.1) 15,164 (74.1) 18,911 (92.31) 18,032 (88.02)

Events (%) 39.7 30.7 40.8 224.7

M (11.8) M (9.3) M (12.14) M (66.87)

Flagged Hosts Events 1,308 31 -

42,007 1,543 -

1,321

43,550

All Flags

0.8 0.6 0.4 0.2 0

20,486

335.9 M

10 100 1K 100K URL Popularity Rank

6M

(a) Popularity of HTTP objects.

IV. DATASET We now describe the traffic traces and tools that we use to extract information to build the dataset that we use. A. Data Collection We consider a vantage point located in a commercial ISP where approximately 20,000 customers are connected. Most of the customers are residential users, connected via ADSL modems to the monitored point. Each customer modem is given a static IP address, which can be used to identify all the traffic generated/destined to the same household. In the following, we generalize the term “host” to refer to traffic exchanged by a single household (IP address).1 We consider a trace obtained live during one day in April 2012. A commercial monitoring tool processed the packets in real time to generate a text log file in which each TCP and UDP flow is logged. For each flow, a record is stored. It details the flow identifier (the tuple source/destination IP addresses, source destination ports and protocol type), the timestamp of the first packet, the total number of packets/bytes sent and received, the application-protocol used. In case protocol is HTTP, the entry is annotated with server hostname, object path, user-agent, content-type, response status (e.g., 200 OK), content-length directly extracted from the HTTP header[7]. In case multiple HTTP objects are fetched using the same TCP flow (e.g., due to HTTP-persistent), multiple records are logged. Similarly, for each DNS transaction, the tool logs the requested hostname, the set of returned IP addresses, or the response code in case of an error (e.g., NXDomain) [8]. To protect users privacy, sensitive information has been removed. In parallel to the monitoring tool, a commercial IDS processed the packets in real time, logging alerts if some network activity matches any rule that is present in its database. We consider the IDS as an oracle that reveals which events are to be considered malicious. For each alert, the IDS simply specifies the flow identifier, and a threat-ID, i.e., a numerical code that identifies a particular threat. The IDS is very conservative in triggering alerts and hence it is possible that some malicious events do not trigger any alert. Conversely, every alert is related to some malicious activity. B. Dataset Overview We consider each record in the log as a different event. By matching the flow identifiers, alerts are linked to records, so 1 Given the popularity of NAT (Network Address Translation) at home, the ADSL modem IP address identifies traffic exchanged by all devices accessing the Internet at each customer household.

100

10

1 1

Total

Number of snapshots

All

1 Fract. of hosts

TABLE I.

1

10 50 236 Malicious seeds

1783

(b) Snapshots per malicious events.

Fig. 5. Dataset characterization. (a).Top-100 HTTP objects are whitelisted (b).Seeds generating at least 3 snapshots are processed by our system.

that records can be flagged as malicious. We obtain the labeled dataset described in Table I. Overall, 20,486 hosts generated about 336 M total events over the whole day. About 20% of those are related to HTTP and DNS records, with a large majority of the “Other TCP” due to TLS/SSL (HTTPS) traffic, and “Other UDP” events due to Peer-to-Peer applications. Among all users, 6.4% exhibit some malicious activity (i.e., at least one event is flagged), with 151 different threat-IDs being reported by the IDS. Yet, only 43,550 flags are raised by the IDS. That translates to a negligible 0.013% of all traffic. Most of these records correspond to HTTP traffic, with the exception of some IRC and RPC flows. This confirms on the one hand the very stealthy and low rate activity that malware is typically generating. On the other hand, it confirms the conservative design of IDS. Almost all the flags are related to malicious HTTP activities including Exploit Kits (e.g., Nuclear, Blackhole, ZeroAccess), Drive-by Downloads, Malicious Browser Toolbars (e.g., Ask.com), Trojans and Worms (e.g., Skintrim, Conficker), etc. C. Whitelisting Whitelisting is a common technique used to both reduce the amount of information processed, and to discard data that would possibly pollute the analysis. For the same purposes, we built a whitelist that targets very popular events that would be in any CG with high probability but add little information or create noise. Instead of creating a manual list of popular and benign events, we opt for a dynamic and context-aware approach. We build a whitelist based on events popularity among clients, and select the top-k elements to be ignored during the processing. We whitelist single HTTP events and not the entire websites, as it is known that malware can be hosted and distributed also from legitimate services. Fig. 5(a) shows the HTTP events popularity, i.e., the fraction of hosts that accessed a given URL (with stripped parameters). Note the log scale on x-axis. Fig. 5(a) shows the classic heavy tailed popularity. Top URLs are clearly very common among most of the hosts. Those include social network buttons (e.g., www.facebook.com/plugins/like.php), analytics services (e.g., www.google-analytics.com/ga.js), software update check (e.g., download.windowsupdate.com/v9/windowsupdate/redir/ muv4wuredir.cab), etc. Red triangles highlight those events that are considered malicious by the oracle. The most diffused

80.154.79.107 173.194.35.45 80.154.79.88 173.194.35.57 80.154.79.139 80.154.79.106 173.194.35.58 173.194.35.26 80.154.79.138 googleads.g.doubleclick.net 80.154.79.91 80.154.79.89 80.154.79.74 94.245.68.178 173.194.35.25 91.103.138.65 91.103.140.2 80.154.79.131 80.154.79.128 80.154.79.115 80.154.79.137 173.194.35.13 91.103.138.62 217.72.250.66 cm.g.doubleclick.net 217.163.21.37 80.154.79.104 217.163.21.39 80.154.79.82 94.245.68.177 80.154.79.72 217.163.21.38 213.254.17.9 91.103.139.3 partner.googleadservices.com 184.73.155.139 69.58.188.40 217.163.21.36 80.154.79.136 184.73.215.73 80.154.79.73 184.73.155.177 217.163.21.34 217.163.21.41 80.154.79.81 pubads.g.doubleclick.net 141.101.125.40 69.58.188.39 217.163.21.35 213.254.17.55 /imp a1.sphotos.ak.fbcdn.net ssl.gstatic.com 80.154.79.130 80.154.79.122 184.73.156.195 80.154.79.97 pagead2.googlesyndication.com 184.73.215.88 184.73.212.52 217.163.21.40 184.73.155.122 80.154.79.112 80.154.79.113 213.254.17.71 184.73.215.93 mscrl.microsoft.com a4.sphotos.ak.fbcdn.net image2.pubmatic.com 80.154.79.105 184.73.156.206 ad.yieldmanager.com /aclk a3.sphotos.ak.fbcdn.net 184.73.212.0 /st www4.smartadserver.com 184.73.193.109 184.73.215.91 /hphotos−ak−ash4/s480x480/305686_124047664394691_100003683737472_117565_1405113608_n.jpg cdn.iubenda.com 184.73.188.162 /hphotos−ak−snc6/162760_100870769990903_100002039403380_3276_6683956_n.jpg admin.brightcove.com 213.254.17.72 184.73.215.82 ads.bluelithium.com /hphotos−ak−snc6/166491_100870679990912_100002039403380_3271_1256366_n.jpg s−static.ak.fbcdn.net /hphotos−ak−snc6/168295_100870983324215_100002039403380_3288_2837125_n.jpg 184.73.215.87 ac.tynt.com bit.ly 184.73.157.171 141.101.124.40 74.125.79.95 69.63.189.70 /gampad/google_ads.js /gampad/ads /pagead/ads 184.73.215.96 173.194.35.15 /J−LO−SENZA−VELI 184.73.214.31 /hphotos−ak−snc6/167762_100870886657558_100002039403380_3283_6414957_n.jpg 69.171.242.53 /hphotos−ak−prn1/543248_392848557414345_100000676125796_1237183_584277678_n.jpg api.zynga.com urs.microsoft.com 69.63.190.70 /AdServer/Pug /hphotos−ak−snc7/397114_2297940533274_1391961887_31960151_2130872344_n.jpg 69.171.228.21 /hphotos−ak−snc7/s320x320/35748_1314916158279_1391961887_30755830_7309748_n.jpg 66.220.147.38 184.73.215.92 /hphotos−ak−ash4/215066_236767333022469_100000676125796_776912_6410724_n.jpg 184.75.168.152 /hphotos−ak−snc6/166471_100870846657562_100002039403380_3280_4563298_n.jpg content.yieldmanager.edgesuite.net 184.73.197.241 184.73.215.81 /def/def/showdef.asp a2.sphotos.ak.fbcdn.net 213.254.17.78 /pagead/osd.js /pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl 157.55.233.123 platform.ak.fbcdn.net s−static.ak.facebook.com 2.19.77.177 /hphotos−ak−ash3/s320x320/560389_368385103213436_274145419304072_1066671_982264355_n.jpg /hphotos−ak−snc7/p480x480/306287_260184937404315_100002384311499_585262_464373497_n.jpg 31.186.225.24 213.254.17.65 /call/pubj/23794/161296/9988/M/188733587/[target] /hphotos−ak−snc7/s320x320/320445_147841755305301_100002384311499_277577_527423870_n.jpg 66.220.158.70 /hphotos−ak−prn1/s320x320/548687_258635134225962_100002384311499_580539_1826389881_n.jpg /proxy.html /common/loader.js 89.31.74.161 /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTczMTQwXzEwNzk0NzMwNDhfMTA0MjM0MzMwMF9xLmpwZw== 213.254.17.16 /pagead/show_ads.js /ajax/desktop/promo_action.php 178.255.83.1 184.73.232.146 /hphotos−ak−ash3/166134_100870753324238_7546385_n.jpg /hphotos−ak−ash4/252972_217916978240838_100000676125796_704122_2698621_n.jpg /common/ifpc/ifpc.js 157.55.231.252 /hphotos−ak−snc6/254706_236767246355811_100000676125796_776911_5097146_n.jpg 213.254.17.32 /zbar/v2/prod/promo/10b6759227632508bdd2b98befd130f1.png 184.73.158.151 /hphotos−ak−snc7/s320x320/319684_164170577005752_100002384311499_332478_1542917955_n.jpg /a/diff/431/1614607/show2.asp /hphotos−ak−ash3/166353_100870906657556_100002039403380_3284_370331_n.jpg 69.171.247.80 184.73.155.146 /100001281214666/picture ajax.googleapis.com 69.171.242.12 /js/BrightcoveExperiences.js /plugins/likebox.php 2.19.66.110 /call/imppix2/1614607/6067880/161296/ /ajax/home/generic.php translate.googleapis.com pixel.rubiconproject.com /gampad/google_service.js /hphotos−ak−snc6/167640_100870923324221_100002039403380_3285_5112154_s.jpg /js/APIModules_all.js /v41818/flyers/10/45/1331037950447089624_1_32ec06f3.jpg 157.55.231.251 /hphotos−ak−snc6/251107_218015671564302_100000676125796_704564_4039342_a.jpg /hphotos−ak−ash4/p480x480/396320_201272136628929_100002384311499_436878_1197544203_n.jpg /hphotos−ak−snc6/168405_1542754974107_1391961887_31242937_5690651_n.jpg /hphotos−ak−snc6/165340_100870689990911_100002039403380_3272_144908_n.jpg /hphotos−ak−ash4/380601_383177018381499_100000676125796_1208366_452298874_n.jpg /atoms/b2/ef/60/aa/b2ef60aa8eee15f6653fa9fd126a0158.swf ocsp.comodoca.com /atoms/d6/e5/df/64/d6e5df64c6f41855a9c5c291a1581435.swf /common/xhr/xhr.html 66.220.146.86 /hphotos−ak−prn1/s320x320/523728_368382996546980_274145419304072_1066665_593235360_n.jpg /pixel.gif /hphotos−ak−snc7/p480x480/387741_347783011903361_303873256294337_1576722_338016840_n.jpg zbar2.zynga.com / /pxgcm /attachments/messaging_upload.php zbar.zynga.com /v565063/flyers/11/12/13333849592081278675_1_4170ffde.jpg /hphotos−ak−ash4/185575_237075009658368_100000676125796_778056_1909867_n.jpg /pixel /call/pubj/23794/161296/9988/M/1396855733/[target] /hphotos−ak−ash3/s480x480/529164_124047717728019_100003683737472_117566_602560002_n.jpg 109.74.200.119 /v565063/flyers/100/9/13341347411126686376_1_10e889ae.jpg /hphotos−ak−snc6/185218_236766699689199_100000676125796_776909_6410623_n.jpg 69.171.242.13 65.55.53.190 tag.admeld.com 193.45.15.65 fbcdn−profile−a.akamaihd.net /zbar−new/zoom_data.php /api/2/0/promos2/ /v565063/flyers/89/6/1334580171885480086_1_db43806e.jpg /hphotos−ak−snc7/s320x320/409592_2640210998587_1054900399_32483285_658182361_n.jpg 213.254.17.87 rivergrape.com graph.facebook.com www.facebook.com /zbar/v2/prod/promo/6dddf4bc376a571b83acd23be1726826.png /hprofile−ak−snc4/368866_100003083532122_122744866_q.jpg /www/app_full_proxy.php 50.16.212.100 /ajax/ticker.php /s/3v0Jm8D 443 /rsrc.php/v1/yl/r/doKTwlK_4p−.png /zbar/v2/prod/promo/1bccf069eaa886043321af9a5dfe808c.png /js/jquery.tools.min.js /v41818/flyers/12/21/13052912501854769801_1_b514edeb.jpg /hphotos−ak−snc6/165328_100870966657550_100002039403380_3287_75996_n.jpg www.nuvette.it 23.21.254.195 /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTcyMzU1XzEwMDAwMTAzMTQ4NzIyNV8xMjUwODgwMzY0X3EuanBn /v41818/flyers/45/40/13319072851976627087_1_03bb43c5.jpg /ai.php lloogg.com /hphotos−ak−ash3/p480x480/551133_258935747529234_100002384311499_581374_900259184_n.jpg a.triggit.com creative.ak.fbcdn.net /hprofile−ak−snc4/161361_100001529221773_1400922524_q.jpg watson.microsoft.com /v41818/flyers/20/38/1328039416941196961_1_f76c8385.jpg 193.45.15.51 213.254.17.33 213.254.17.80 www.rockmelt.com /hphotos−ak−ash4/p480x480/401257_390370997644392_871039186_n.jpg /hphotos−ak−ash4/226080_237075302991672_100000676125796_778058_2105475_a.jpg /v565063/flyers/15/0/13331109291602475720_1_af1d73d0.jpg /hphotos−ak−snc6/185298_235845599781309_100000676125796_773383_1963093_n.jpg /css/theme.css /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDE1NTVfMTAwMDAyNzg1MTE0MzQ3XzE2NTIzMDUzODdfcS5qcGc= /hprofile−ak−snc4/273313_100002391319490_258078382_q.jpg /1542228796/picture /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG%2BEAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQCIlxeR%2B%2FbOSSAmjN9qCoJf /1491064533/picture /world.php /v41818/flyers/2/40/13310379501239845211_1_697f2c4b.jpg /js/functions.js /tap.php /img/Agatha_Ruiz_De_La_Prada.png /hphotos−ak−ash3/s320x320/524006_368384226546857_274145419304072_1066669_1925081023_n.jpg zynga2−a.akamaihd.net /id 184.72.255.2 /ajax/feed/ticker/flyout.php /zlive/zoom/latest−prod/js/zoom.js /photos−ak−snc1/v27562/71/291549705119/app_1_291549705119_514.gif /1155371715/picture /static/fanpage/img/gossip/socialcats/33c3703f58f47be96aa1ff74368233d5_1287501759−50x50.jpg /100000002251435/picture /api/2/0/counters/ /poker/image_proxy.php/aHR0cHM6Ly9mYmNkbi1wcm9maWxlLWEuYWthbWFpaGQubmV0L2hwcm9maWxlLWFrLXNuYzQvMjYwNjA4XzE0MjYyMDUzNDZfMTU5OTMxNzc1NF9xLmpwZw== /translate_a/st /v41818/flyers/33/43/1327394312544141178_1_ee174501.jpg 23.21.163.135 /photos−ak−snc1/v43/139/131394766951111/app_1_131394766951111_9896.gif /hphotos−ak−prn1/562507_392905357408665_100000676125796_1237232_2000035560_n.jpg 107.20.191.196 /ajax/photos/photo/tags/tags_album.php /messages/1039827183 /poker/img/shouts/004_straightarrow_100.png /hphotos−ak−prn1/560213_383177031714831_100000676125796_1208367_1998403977_a.jpg /zbar/v2/prod/promo/75ff52b6586ba903bd8770e14fe219e5.png 107.22.211.3 /hprofile−ak−snc4/161772_1642887381_1054411433_q.jpg /v41818/flyers/49/40/1330020635284680475_1_9ef4d62b.jpg /v565063/flyers/51/5/1334591253175796218_1_28f3b677.jpg /img/Le_Nuove_Nuvette.gif /img/Nuvenia_nuvette.png /plugins/like.php /sound_iframe.php /rsrc.php/v1/y9/r/KeqeJ6N1uam.js /hphotos−ak−snc6/164070_100870786657568_100002039403380_3277_814796_n.jpg /hprofile−ak−snc4/174144_1749634255_183741169_q.jpg /100002069787737/picture /img/sfondi_del_computer_gratis.gif 78.109.91.19 zynga1−a.akamaihd.net /l.php /hprofile−ak−snc4/157150_100000333087281_869301305_q.jpg /hprofile−ak−ash2/174160_100001205693619_1868980530_q.jpg /api/2/0/friends/ bluesbars.ru/v41818/flyers/58/24/13276780822212003_1_6e5696a8.jpg /hphotos−ak−ash4/252972_217916978240838_100000676125796_704122_2698621_a.jpg a7.sphotos.ak.fbcdn.net /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTc0MDEyXzE2NTQ3NjMxOTZfOTYyNjcxMTkxX3EuanBn 107.20.156.209 /message−center/xpromoTrack.php /recv.php stat.ebuzzing.com /ajax/libs/jquery/1.3/jquery.min.js /1379836228/picture /photos−ak−snc1/v85006/195/194287413934599/app_1_194287413934599_990348473.gif /photos−ak−snc1/v85005/166/164285363593426/app_2_164285363593426_820555261.gif log3.optimizely.com /hprofile−ak−snc4/260932_1054900399_7435617_n.jpg p.twitter.com 213.254.17.88 /hprofile−ak−snc4/49013_1042651996_1516452143_t.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDkwNjBfNTMxMjQzODg5XzU1NzZfcS5qcGc= /StageOne/Generic/AppHangB1/iexplore_exe/9_0_8112_16421/4d76255d/5f0e/135168.htm /event 23.21.209.236 www.vogue.it /v41818/flyers/92/27/1327670884666156793_1_9f773eb0.jpg /static/fanpage/css/gossip.css 107.22.231.29 /hprofile−ak−snc4/573689_1579380416_832259165_q.jpg /fbml_static_get.php 194.244.45.210 /zbar/v2/prod/promo/5065d0f2cd0fc78bcbc7aa3c54223c65.gif /img/rockmelt−logo.png 174.129.11.129 /rsrc.php/v1/yG/r/40jte7RHzIS.css 2.16.13.55 /poker/join_buddy_bonus.php /ajax/log_ticker_render.php /v41818/flyers/43/56/13169419321666481769_1_6d9a0bf7.jpg /hprofile−ak−snc4/161701_100001755798199_6352246_q.jpg /ajax/typeahead/search.php /hprofile−ak−snc4/41547_100003683737472_1162337856_q.jpg /v41818/flyers/72/15/1305725456356678821_1_ed4f04a3.jpg /stats/47215_5544_638069_36984_7747_2.jpg /hprofile−ak−snc4/174204_1419369251_1063861876_q.jpg audit.303br.net /people−are−talking−about/l−ossessione−del−giorno/2011/07/rihanna−donna−dell−anno /dialog/oauth /ajax/desktop/log_clicks.php217.72.242.214 /t.gif /ajax/gigaboxx/endpoint/UpdateLastSeenTime.php pixel.facebook.com /v565063/flyers/95/21/1332608678956388932_1_91d5573e.jpg playerstatics1.poker.static.zynga.com lhfyatqe.com photos−f.ak.fbcdn.net /hprofile−ak−snc4/572817_1553262724_1387094090_q.jpg /px 50.17.211.217 /hprofile−ak−snc4/187495_622857416_5287376_q.jpg /hphotos−ak−ash4/215066_236767333022469_100000676125796_776912_6410724_a.jpg /hprofile−ak−snc4/158066_214249671959717_907212476_q.jpg /hprofile−ak−snc4/27341_100000145360744_1167_q.jpg /zbar/v2/prod/promo/c9640c7f048ced93cee9f6af7ea9b232.jpg /v565063/flyers/52/46/1334223236254615942_1_3c3fb34b.jpg /ajax/hovercard/shown.php /img/downloaded_lg.png /hphotos−ak−ash3/552824_392914624074405_879211169_a.jpg /zlive/xpromo/xpromo.html /subsite/classic1.0.htm 107.22.179.237 /hprofile−ak−snc4/173669_1518030990_3746743_q.jpg /zbar/static/zbar/poker/static−locale/it_IT.js 173.194.35.14 /connect.php/css/share−button−css /dt/widgets.js /poker/launch.php platform.twitter.com /favicon.ico /hprofile−ak−snc4/161442_100002081922420_3261767_q.jpg 107.20.195.59 /static/fanpage/img/social−popup−arrow.png adbwer.com /service/update2 184.73.165.150 urathfdk.com external.ak.fbcdn.net /zbar/v2/prod/game/fb81eb07f135192f5d49100982241bb1.png /hprofile−ak−snc4/371771_100001654317020_1010609740_q.jpg /hprofile−ak−snc4/161170_100002129125070_869877764_q.jpg /hphotos−ak−ash3/552824_392914624074405_879211169_n.jpg /hphotos−ak−snc7/p480x480/72556_1437003130377_1391961887_31036847_4473004_n.jpg /js/download.js 173.194.35.7 10.149.42.161 /hprofile−ak−ash2/273330_1596731001_523860472_t.jpg /hprofile−ak−snc4/574005_100000420518082_1632235534_q.jpg /scripts/following_parser.js /hprofile−ak−ash2/565226_1393255652_485808195_t.jpg /static/fanpage/img/fb−connect.png /ScriptResource.axd /rsrc.php/v1/y6/r/n7OLd78dc_8.js /ajax/presence/update.php /hprofile−ak−snc4/260692_100000726608589_1780107603_q.jpg /jspix 173.194.35.0 /hphotos−ak−ash4/185575_237075009658368_100000676125796_778056_1909867_a.jpg cdn.api.twitter.com /photos−ak−snc1/v85005/230/116014898445746/app_2_116014898445746_2541.gif /ajax/feed/feed_menu.php /zlive/zoom/latest−prod/js/swfobject.js /poker/getStaticSet.php /__utm.gif 107.22.163.197 /safe_image.php 213.254.17.17 /rsrc.php/v1/y5/r/E5QVKTtyFOd.png 2 /rsrc.php/v1/yu/r/Z8pDY0UNUO4.js /photos−ak−snc1/v85006/121/183211452517/app_2_183211452517_7537.gif /poker/dynamic_assets/100/gift87_1.png /hprofile−ak−snc4/565221_1492122993_467277717_t.jpg 213.254.17.94 /poker/inc/ajax/luckyBonus.php /1/urls/count.json videosit.foxtv.es /ajax/typeahead/search/bootstrap.php /static/fanpage/js/jquery.colorbox−min.js /hphotos−ak−snc6/165333_100870713324242_100002039403380_3273_2122562_n.jpg /photos−ak−snc1/v27562/151/151829154838267/app_2_151829154838267_1757.gif /rsrc.php/v1/yh/r/2e71hHWKLkX.png /hprofile−ak−snc4/273358_895805400_1309865551_q.jpg 69.171.242.30 /poker/dynamic_assets/as3/gift166_1.swf profile.ak.fbcdn.net /poker/locale/en/img/lobbyBackgrounds/turkey0001.jpg 75.101.132.206 173.194.35.8 /hphotos−ak−ash4/226080_237075302991672_100000676125796_778058_2105475_n.jpg /hphotos−ak−prn1/535515_392905437408657_100000676125796_1237233_741496854_a.jpg /poker/casino/ajax/ZSC/Accept/ /texas_holdem/ai.php /subscribe 216.52.121.177 danasrat.com /photos−ak−snc1/v85005/222/365709729894/app_2_365709729894_5222.gif /static/fanpage/css/colorbox.css /hphotos−ak−snc6/284142_235833409782528_100000676125796_773360_6339820_a.jpg static.ak.fbcdn.net /js/8094158.js /photos−ak−snc1/v85005/80/228348247236308/app_1_228348247236308_1490.gif /WebResource.axd 213.254.17.8 /hprofile−ak−snc4/186344_100001005362217_1185407405_q.jpg /static/fanpage/img/gossip/socialcats/5537d149731a7ae67a31403ab8ccb542_1273675090−50x50.jpg /hprofile−ak−snc4/49856_1179336558_3037_q.jpg /hphotos−ak−snc6/164105_100870876657559_100002039403380_3282_7125869_n.jpg /hprofile−ak−snc4/161259_100001879378218_6432409_q.jpg /static/fanpage/img/gossip/socialcats/3397f28a49896345dd8a97aef27664d4_1273854312−50x50.jpg static.fanpage.it/ajax/apps/usage_update.php /static/fanpage/css/style.css /photos−ak−snc1/v27562/175/102766453114171/app_1_102766453114171_8088.gif /hphotos−ak−snc7/396287_300691336648184_100001219593333_890976_1023031451_n.jpg /rsrc.php/v1/yH/r/1yFUVzvGflf.png /zbillr/javascripts/fbc_proxy_receiver.js /hphotos−ak−prn1/562507_392905357408665_100000676125796_1237232_2000035560_a.jpg /hprofile−ak−snc4/274759_100001475743630_4934220_q.jpg 173.194.35.3 adadvisor.net photos−g.ak.fbcdn.net plusone.google.com tools.google.com /hprofile−ak−ash2/49135_1495763503_5748_q.jpg /rsrc.php/v1/yl/r/cN5zKudwrmb.css /hprofile−ak−snc4/48916_1336382160_1709951995_q.jpg /poker/CasinoSnapiProxy.php /hprofile−ak−snc4/41555_100002785114347_1652305387_q.jpg /hprofile−ak−snc4/174182_100001161171722_1921820198_q.jpg /hphotos−ak−ash3/555479_383177088381492_100000676125796_1208370_615701503_a.jpg /cgi−bin/m /poker/locale/it/img/shouts/highscore_weeklycontest2.swf /static/fanpage/js/fp−socialbox.js /photos−ak−snc1/v85005/244/65108332792/app_1_65108332792_9404.gif /hphotos−ak−ash4/407661_337379306294604_100000676125796_1087240_1926487984_n.jpg statics.poker.static.zynga.com 213.254.17.23 /hphotos−ak−snc6/229634_237075536324982_100000676125796_778060_7276928_a.jpg /photos−ak−snc1/v85006/109/107040076067341/app_1_107040076067341_1528.gif 63.251.249.49 tiebath.ru /hphotos−ak−prn1/s320x320/26692_1314915718268_1391961887_30755825_2342829_n.jpg notify13.dropbox.com 3 /poker/iframe_proxy.php www.google−analytics.com 173.194.35.1 /hphotos−ak−ash3/166797_100870659990914_100002039403380_3270_2778416_n.jpg /hprofile−ak−snc4/173212_1546634717_946839939_q.jpg photos−a.ak.fbcdn.net /photos−ak−snc1/v43/152/154089927959840/app_2_154089927959840_1239.gif /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLWFzaDIvMzY5OTE5XzEwNTk2MDA2NTBfMjU0ODIyOTkyX3EuanBn /adscores/g.pixel /poker/inc/ajax/chip_vals.php /hphotos−ak−snc7/s320x320/76027_1450285062417_1391961887_31058442_1557303_n.jpg 173.194.35.5 tamqpcmcy.com 70.42.33.241 moodgum.ru /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDE1NTVfMTAwMDAyNzg1MTE0MzQ3XzE2NTIzMDUzODdfbi5qcGc= /photos−ak−snc1/v85006/39/101539264719/app_1_101539264719_2507.gif secure−it.imrworldwide.com /ajax/photos/photo/tags/tags_init.php /hprofile−ak−snc4/275823_1335733940_834053024_t.jpg photos−b.ak.fbcdn.net 213.254.17.95 /hprofile−ak−snc4/161485_100000964885703_485534086_q.jpg /photos−ak−snc1/v85006/247/30713015083/app_1_30713015083_2979.gif /photos−ak−snc1/v85006/237/256051837747677/app_1_256051837747677_2325.gif 178.236.5.129 /poker/img/shouts/003_threesco_100.png /hphotos−ak−snc7/312780_278137352218800_100000676125796_915311_1551900761_s.jpg /crossdomain.xml 173.194.35.2 apps.facebook.com /rsrc.php/v1/ys/r/0VDksn8o5BR.png 213.254.17.86 /js/jquery/jqueryui.js /hphotos−ak−snc6/284142_235833409782528_100000676125796_773360_6339820_n.jpg photos−h.ak.fbcdn.net /poker/inc/ajax/trackFriendFeed.php /hprofile−ak−snc4/41661_678484760_313677665_q.jpg /hphotos−ak−snc7/407905_2640210558576_1054900399_32483284_1415883070_s.jpg /rsrc.php/v1/yP/r/JJTbNB3NOtv.png /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvMzcxMTkxXzEwMDAwMDQ4NzY0NDczMF8xOTA1NDk4ODAzX3EuanBn /poker/adapter/zgift_info.php 173.194.35.6 66.220.158.72 facebook2.poker.zynga.com /rsrc.php/v1/ya/r/GkSTZ3wYZBQ.png /poker/inc/ajax/amazing_ideas.php /hprofile−ak−snc4/48897_100001281214666_1095838380_q.jpg /poker/inc/ajax/profile_popup.php /ad/N3024.5011.FOXINTERACTIVE/B6449871;sz=1x1;ord=52074038 /poker/casino/ajax.php /hphotos−ak−ash4/249929_218011594898043_100000676125796_704480_7768516_a.jpg /hprofile−ak−snc4/186535_1052265436_6807914_q.jpg /poker/casino/ajax/ZSC/GetMessageData/ /poker/adapter/user_data.php photos−e.ak.fbcdn.net /connect.php/js/FB.Share 213.254.17.25 216.120.27.21 photos−c.ak.fbcdn.net 213.254.17.62 173.194.35.9 /photos−ak−snc1/v85005/222/365709729894/app_1_365709729894_9467.gif /hphotos−ak−prn1/543248_392848557414345_100000676125796_1237183_584277678_a.jpg a8.sphotos.ak.fbcdn.net /photos−ak−snc1/v27562/52/2389801228/app_1_2389801228_4018.gif taxescell.ru /wp−admin/admin−ajax.php 173.194.35.4 /static/fanpage/img/gossip/favicon.ico /hphotos−ak−prn1/562722_393219950710539_100000676125796_1237622_2143092417_a.jpg /viewad/954669/1−inv.gif /poker/server_status.php /static/fanpage/img/gossip/socialcats/e2b11d959bce053c90de466604ed28a1_1318858190−50x50.jpg /hprofile−ak−ash2/187086_100000363921369_6546321_q.jpg janpollj.com/hphotos−ak−snc6/254706_236767246355811_100000676125796_776911_5097146_a.jpg /poker//inc/ajax/ztrack_social.php /hphotos−ak−ash4/380601_383177018381499_100000676125796_1208366_452298874_a.jpg 178.236.6.106 69.63.189.76 69.63.190.72 photos−d.ak.fbcdn.net /hphotos−ak−ash4/268672_235833289782540_100000676125796_773359_3697943_a.jpg /photos−ak−snc1/v27562/157/183366208380001/app_1_183366208380001_2727.gif /poker/callback/loadMilestone.php /hphotos−ak−snc7/162835_100870826657564_100002039403380_3279_7550227_n.jpg /ajax/pagelet/generic.php/PhotoViewerPagelet /hphotos−ak−snc6/163139_100870863324227_100002039403380_3281_2081965_n.jpg /link/link.php /ajax/pagelet/generic.php/PhotoViewerInitPagelet 213.254.17.31 /photos−ak−snc1/v27562/175/102766453114171/app_2_102766453114171_8233.gif /js/jquery/jquery.urlEncode.js /texas_holdem/dmz_link_landing.php /hphotos−ak−snc7/p480x480/149161_1450288062492_1391961887_31058449_5122823_n.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/26−5234414_201x113.jpg /hphotos−ak−ash4/s320x320/407236_2790145346852_1054900399_32556565_1399259089_n.jpg /javascripts/z_purchase.js /hphotos−ak−snc6/s320x320/165260_1504281852303_1391961887_31171518_4446658_n.jpg /texas_holdem/index.php /b/o /connect.php/it_IT /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/21−43754_201x113.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/rihanna−3310943_201x113.jpg /poker/inc/ajax/chips.php /hphotos−ak−snc6/168926_100870946657552_100002039403380_3286_7170577_n.jpg 193.45.15.33 /hphotos−ak−ash4/s320x320/405734_2640209958561_1054900399_32483283_868894953_n.jpg 66.220.153.76 /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/22−101501_201x113.jpg /poker/inc/ajax/liveChrome.php /static/fanpage/js/functions.js /hphotos−ak−ash3/555479_383177088381492_100000676125796_1208370_615701503_n.jpg /hphotos−ak−ash4/249929_218011594898043_100000676125796_704480_7768516_n.jpg 213.254.17.96 /hphotos−ak−snc6/185298_235845599781309_100000676125796_773383_1963093_a.jpg /hphotos−ak−prn1/535462_383177051714829_100000676125796_1208368_406060946_a.jpg /hphotos−ak−snc7/163213_100870566657590_100002039403380_3264_2479830_n.jpg 212.239.41.101 /hphotos−ak−prn1/560213_383177031714831_100000676125796_1208367_1998403977_n.jpg /css/styles_dark.css /poker/client/modules/LuckyBonus008t.swf /hphotos−ak−ash3/561834_383177068381494_100000676125796_1208369_584924645_a.jpg /hphotos−ak−prn1/s320x320/30468_1314916718293_1391961887_30755836_6756993_n.jpg /login_user.php 213.254.17.15 /ajax/pagelet/generic.php/WebEgoPane static.ak.connect.facebook.com /poker/inc/ajax/openGraphEndpoints.php 69.171.242.28 /css/colorbox.css /js/jquery/jquery.easing.compatibility.js cdn.optimizely.com ad.doubleclick.net /hphotos−ak−snc7/p480x480/418513_254203174669158_100002384311499_569106_930991690_n.jpg 69.63.189.72 /hphotos−ak−snc6/251107_218015671564302_100000676125796_704564_4039342_n.jpg /images/shim.gif /photos−ak−snc1/v85005/166/164285363593426/app_1_164285363593426_1385.gif /update_user.php /mark/26069_18 2.16.12.119 /js/script_common.js /js/jquery/jquery−1.4.1.min.js /poker/inc/ajax/popup_deferred_load.php s0.2mdn.net /poker/adapter/zuser_feed.php /hphotos−ak−ash4/407661_337379306294604_100000676125796_1087240_1926487984_a.jpg 213.254.17.97 /hphotos−ak−snc6/185218_236766699689199_100000676125796_776909_6410623_a.jpg /jennifer−lopez−senza−veli−per−spot−il−toyboy−l−ha−svecchiata/ /hphotos−ak−snc6/167640_100870923324221_100002039403380_3285_5112154_n.jpg /hphotos−ak−snc7/33820_100870809990899_100002039403380_3278_1850791_n.jpg /poker/image_proxy.php/aHR0cHM6Ly9mYmNkbi1wcm9maWxlLWEuYWthbWFpaGQubmV0L2hwcm9maWxlLWFrLWFzaDIvMTc0MTY5XzEwMDAwMzU3NjI2NTM3NV8xODIwMTIzODU1X3EuanBn /hphotos−ak−snc6/168095_100870739990906_100002039403380_3274_692480_n.jpg zpay.static.zynga.com /js/23777651.js /hprofile−ak−snc4/572691_100000262934515_165452218_q.jpg fls.doubleclick.net /js/condenet/jquery.cookies.js 213.254.17.57 69.63.190.76 173.194.35.28 cornlion.ru /hphotos−ak−snc6/200221_1622881977232_1391961887_31364215_2612460_n.jpg /activityi;src=954669;type=nuven191;cat=landi232;ord=4044130197191.0083 /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/20−2668906_201x113.jpg /css/colorbox−login.css /_tracker/569/hphotos−ak−ash3/s320x320/167094_1511012020553_6376530_n.jpg 69.171.242.62 /volvo.php /mybach.php /_uploads/brief/u39103/video/5544/vulf−s_1334662854.png /css/styles_article.css scripts.vogue.it 173.194.35.27 173.194.35.60 213.254.17.22 /en_US/all.js /b/p /it_IT/all.js /hphotos−ak−ash3/555577_3351311235158_1640208996_2619594_1199453245_n.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/23−93977_201x113.jpg akamai.smartadserver.com 193.45.15.10/player_blog/static/img/bar420x257.jpg a6.sphotos.ak.fbcdn.net 74.114.14.200 /css/jquery.ad−gallery.css /images/fb_popup/fb_popup_empty_like_button.jpg /css/styles_common.css track.poker.zynga.com 173.194.35.59 ads.lfstmedia.com images.vogue.it 9339 gossip.fanpage.it a5.sphotos.ak.fbcdn.net nav3.poker.zynga.com 46.20.120.129 /gossipfanpage/wp−content/uploads/2012/01/i−messaggi−di−casper−smart−su−twitter.jpg 8890 /ads/js/tfa_ebuzz_creaebz.js /iframe/12 /pullcss.vogue.it ic.tynt.com /ads/firewall/firewall2.php 212.243.210.144 2.16.12.123 843 184.73.204.178

46.20.120.125

212.243.210.136 212.243.210.201

212.243.210.168 connect.facebook.net blueberrymo.com 213.140.0.39 213.140.0.45 www.ebuzzingvideo2.com firewall.adlooxtracking.com jockesnotliked.com 212.243.210.138 j.adlooxtracking.com 212.243.210.209 212.243.210.194 212.243.210.195 74.114.14.44 67.202.66.200 74.114.14.116 87.98.155.169 107.21.104.252 184.75.160.202 1−jv−w.channel.facebook.com 2−jv−w.channel.facebook.com 74.114.14.197 184.75.168.208 91.121.33.204 3−jv−w.channel.facebook.com pix.lfstmedia.com static.fanpage.it.s3.amazonaws.com 212.243.210.145 212.243.210.161 91.121.40.11 199.2.137.141 91.121.37.201 87.98.174.90 178.236.5.130 174.35.6.18 91.121.37.72 46.20.120.230 87.98.144.93 2.19.79.139 91.121.33.206 91.121.37.196 91.121.49.57 174.35.4.149 69.171.227.61

46.20.120.122 74.114.14.192

(a) Initial graph from a single snapshot.

111.221.74.38 157.55.130.155 65.55.223.37 157.56.52.38 157.55.130.140 64.4.23.165 65.55.223.30 157.55.56.149 111.221.77.149 213.199.179.149 157.55.235.160 157.55.56.160

80.80.150.135 taxescell.ru 194.204.51.27 74.142.229.4 28326 bluesbars.ru 157.56.52.34 195.164.49.134 cornlion.ru 40017 26567 40047 33033 adbwer.com 40028 173.25.6.247 40016 tiebath.ru 10425 moodgum.ru 12345 40025 40034 40004 danasrat.com 40021 40030 40001 tamqpcmcy.com /world.php

lhfyatqe.com urathfdk.com

Host_1

rivergrape.com

Host_1

Non−Existent Domain

janpollj.com

tamqpcmcy.com

/mybach.php

b.mail.google.com

60.13.186.5 www.google.com

443 /volvo.php

173.194.35.61

995 74.125.79.109

173.194.35.50 173.194.35.179 173.194.35.145 173.194.35.178 173.194.35.146 173.194.35.177 173.194.35.147 173.194.35.176 173.194.35.148 173.194.35.48 173.194.35.180 173.194.35.52 173.194.35.144 173.194.35.49 173.194.35.51

jockesnotliked.com

ssl.gstatic.com www.gstatic.com

www.gmail.com

2.19.66.110 192.150.14.174

hl2rcv.adobe.com

209.85.148.84

accounts.google.com s−static.ak.facebook.com

rivergrape.com

blueberrymo.com

mail.google.com

pop.gmail.com 62.149.152.152

lhfyatqe.com urathfdk.com

jockesnotliked.com

173.194.35.53

pop3s.certmail.arub.net

/world.php

chatenabled.google.com

173.194.35.47

74.125.79.108

blueberrymo.com

199.2.137.141

/volvo.php

173.194.35.29

/mybach.php

Host_3

Server Failure

/ 108.174.53.11

Host_2

taxescell.ru bluesbars.ru cornlion.ru adbwer.com tiebath.ru moodgum.ru Non−Existent danasrat.com Domain

199.2.137.141

(b) Host-CG of a single client.

108.174.53.11 217.52.202.71 216.144.250.123 60.13.186.5

janpollj.com Server Failure

(c) Final Seed-CG.

Fig. 6. Evolution of Network Connectivity Graphs at several steps of our methodology. The event under study http://jockesnotliked.com/mybach.php is reported as malicious by our oracle. Three clients are flagged for this event: Two generate two analysis snapshots each, while the third client generates eight snapshots.

type of attack - a Drive-by Download threat - infects about 800 hosts (3.8% of hosts). The huge tail confirms the intuition that most of URLs are accessed by few hosts only. We conservatively compile a whitelist made of the Top-100 HTTP events, which equivalently filters those events that are common to more than 23% of hosts. This avoids blurring the common pattern mining and reduces the itemset extraction time, despite not affecting the descriptiveness of CGs. V. C ONNECTIVITY G RAPH C HARACTERIZATION We next evaluate the benefits and properties of CG creation. We first identify the amount of events eligible of becoming seeds. Recall that our methodology requires a recurrence of seeds over time and over population. The requirement matches basic properties of malicious activities, such as recurrent reporting to the C&C center or recurrent attempts to identify new victims. For this reason, we expect that malware distributors would try to disguise such repetitiveness as much as possible. In our dataset we found 820 malicious hosts that had only one flagged event. If analyzed in isolation (on per host basis), these events would not have any recurrence. Fig. 5(b) reports the number of snapshots that can be associated to each unique malicious event. By considering 1,783 unique malicious events, we found that 236 events can be uniquely associated to at least three independent snapshots. Setting MinSnapshots=3, these events become fully characterizable by our system. In fact, looking at the absolute numbers, we can provide insights for 95% of the malicious snapshots in our dataset (40k out of 42k events). A. Connectivity Graph construction steps In Fig. 6, we present an example of the Network Connectivity Graph evolution according to the steps of the methodology described in Sec. III. We consider the malicious seed http:// jockesnotliked.com/ mybach.php. • Fig. 6(a) shows the network traffic produced by a host during a single 30 minute snapshot centered on the seed. Obviously, this graph is very difficult to interpret. • Fig. 6(b) presents the Host-CG of one of the three clients (red marker in the center) involved in the malicious activity. Despite being already clearer and understandable with little effort, it still contains some nodes related to ordinary user’s behavior

that are not part of the malicious activity. For instance, HTTPS and POP3 Secure transactions on the TCP layer (light green circles in bottom-right part) are related to mail exchange and login to Google services, while flows over UDP (olive green circles in upper part) are mostly directed to the Skype service. • Fig. 6(c) corresponds to the final Seed-CG generated by our system when fusing the Host-CG of three different hosts. It is now much easier to identify the events involved in the suspicious activities. Events highlighted by red edges are those considered malicious by our oracle. The richness of the provided indications stems from the augmented context that we provide about these clients. First, the clients access three URLs (blue hexagons) hosted by three hostnames (orange circles) all of which now become an indication of a suspicious infrastructure. Next, two of the contacted hostnames (jockesnotliked.com and blueberrymo.com) use the same IP address (gray diamonds) suggesting for a potential obfuscation by hostname flipping and resources reusage, both common practices among malicious adversaries. The third hostname (rivergrape.com) is distributed over several mirrors whose IP addresses belong to very different subnets, a hint of cheap infrastructure or zombies that were previously infected by the malware. Finally, the right side of Fig. 6(c) shows another layer of information indicating multiple failures of DNS queries (purple boxes). This reaffirms our suspiciousness. Apart from providing more context for the malicious activity, our system discovers new malicious objects and improves the flagging consistency of our oracle IDS. For example, the object bluberrymo.com/ volvo.php is consistently included in malicious graphs, while the IDS occasionally missed it. Our system also discovered a new object rivergrape.com/ world. php, and we confirmed its maliciousness across several other security tools such as VirusTotal.2 B. Impact of Pattern Filtering We study the volume of information that Seed-CG creation process extracts from single seeds. Table II shows the average number of nodes included in the final Seed-CGs. Three sets of parameters are reported, from a very selective common pattern 2 VirusTotal:

www.virustotal.com

TABLE II.

AVERAGE NUMBER OF NODES FOR DIFFERENT TYPES AMONG S EED -CG S WITH ∆ = 30 MIN .

Type Object-path Hostname Server IP Dst-port TCP Dst-port UDP DNS error Total

c1

c2

c3

6.6 7.0 19.9 0.2 2.0 0.3

14.9 16.8 95.9 0.5 27.8 2.4

2351.4 691.5 3423.0 79.9 1335.1 40.4

36.0

158.4

7921.5

c1 = {MinSupport=1, minPopularity=1} c2 = {MinSupport=0.5, minPopularity=1} c3 = {MinSupport=0, minPopularity=0}

VI.

C ONNECTIVITY G RAPH E XAMPLES

In the following, we provide some examples of CGs covering several typologies of malware found in our dataset, each presenting different behaviors and network patterns. A. Cycbot Backdoor Activity Host_1

Host_2

Host_4

Host_3

automation.whatismyip.com

Host_5

/n09230945.asp

Host_6

72.233.89.20 72.233.89.198 72.233.89.197 72.233.89.199

whatismyip.com /

/logo.png

23.20.103.142

cmyip.com 174.132.254.58 www.ipaddrs.com

Number of Nodes

250 200 150

Object Path Hostname Server IP TCPDSTPort

UDPDSTPort DNS failures Total

isvfpyb0.yordataarchive.com 750zbb.phonegamescatalog.com z7q8jm.phonegamescatalog.com vpb.phonegamescatalog.com nbfg613d.phonegamescatalog.com h4l8.phonegamescatalog.com eafdm.phonegamescatalog.com ww6e5tf.phonegamescatalog.com ywkalo.phonegamescatalog.com 2gw1z.phonegamescatalog.com o2sdz9.remarkreddomas.com modh.yordataarchive.com p−pqnlfpz.transfersakkonline.com 7inudgej.faststorageonline.com 2a0z92bijs.wwwmp3archives.com skteg9pc.phonegamescatalog.com i9cp.transfersakkonline.com 96r.remarkreddomas.com 1whqxnpz6c.regremotehelper.com ii8bv.remarkreddomas.com bnyxz.yordataarchive.com 94gs5b.yourstarportal.com mo3go64lg4.remarkreddomas.com fyd8mr.remarkreddomas.com 9en−c7u.remarkreddomas.com oag6p.remarkreddomas.com vcgq0e.remarkreddomas.com pcxx.remarkreddomas.com yy2.remarkreddomas.com c9hkx.transfersakkonline.com ea76fqyb.transfersakkonline.com moae39j4yw.yordataarchive.com −vymjgf5ar.yourstarportal.com 28cybg8bda.faststorageonline.com zfts−5y9e.yourstarportal.com qvfzc4nbt.remarkreddomas.com hap0jyqb.remarkreddomas.com d2−2qnyhf7.remarkreddomas.com 1qlw44pqb9.phonegamescatalog.com 11izic.remarkreddomas.com qe6−x.yourstarportal.com 4sna6.remarkreddomas.com p09p168sq3.transfersakkonline.com c88s50.transfersakkonline.com 7n3.phonegamescatalog.com 9zu51.faststorageonline.com sbjdzd5dz.transfersakkonline.com cstyinab.transfersakkonline.com iyfo4y6k.phonegamescatalog.com 0ztlo4jnv.yourstarportal.com y1g−.phonegamescatalog.com 4xwcd0.phonegamescatalog.com 0ksr7pre.remarkreddomas.com t8jrtt.remarkreddomas.com edq66e5.wwwmp3archives.com j5fzqqj.yourstarportal.com e1rf5q6.transfersakkonline.com qv0lp22mii.transfersakkonline.com ecv5ryhdsr.transfersakkonline.com 8g285ov.transfersakkonline.com saz1t.transfersakkonline.com kve9.yourstarportal.com 6eogoqf5.transfersakkonline.com xlnbcn.transfersakkonline.com kcng4s5p.remarkreddomas.com zqoa3vq.remarkreddomas.com lmfsi10.remarkreddomas.com rqr7h97w.yourstarportal.com gzsaqw.transfersakkonline.com cdn.adventofdeception.com 3mgcay8iy.transfersakkonline.com eou2.transfersakkonline.com wob320ikut.transfersakkonline.com cj8a.faststorageonline.com g−eyvim.onlinepdahelpforyou.com ow9p.remarkreddomas.com qov9w2.remarkreddomas.com b564ze91.yourstarportal.com 5lu85j.wwwmp3archives.com q079d.yourstarportal.com hddqs0−−s.onlinepdahelpforyou.com k−6w7d.onlinepdahelpforyou.com

92.242.132.21

100

204.45.86.130

50

188.93.212.36

208.91.197.7

96.9.175.154

www.google.com

173.194.35.176 173.194.73.106 173.194.73.103 173.194.35.16 173.194.35.178 74.125.232.114 173.194.35.180 173.194.35.179 173.194.35.145 74.125.232.112 173.194.73.147 173.194.35.20 74.125.232.116 173.194.35.17 173.194.73.99 173.194.35.144 173.194.35.18 74.125.232.115 74.125.232.113 173.194.35.19 173.194.35.147 173.194.35.177 173.194.73.105 173.194.35.148 173.194.73.104 173.194.35.146

213.239.234.118

Fig. 8. CG for Cycbot Backdoor Activity backdoor trojan. Notice the fast-flux domain name shuffling (orange circles in lower-left part), and the IP address detection webpages (top-right) to assess victims’ reachability.

0 1s 5s 10s 30s 1

5 10 15 20 25 30 35 40 45 50 55 60 Snapshot Size ∆ [min]

Fig. 7. Average amount of nodes in Seed-CGs with different snapshot sizes.

filtering such as c1 = {MinSupport=1, minPopularity=1}, which selects only the objects that appear in all snapshots and for all hosts, to c3 = {MinSupport=0, minPopularity=0}, which instead merges and fuses all patterns independently of their support and popularity. c2 = {MinSupport=0.5, minPopularity=1} is the suggested default parameter setting. Results clearly show that starting from a single event, the proposed methodology builds graphs with hundreds of nodes. Note how the number of elements grows consistently when selecting less restrictive thresholds for MinSupport and minPopularity. The number of elements is indeed very large for c3, where thousands of nodes are included in the CGs. This hurts the amount of information offered to the security analyst (see Fig. 6(a) for instance). c2 offers a good trade-off between descriptiveness and richness of the final CG. Fig. 7 shows the average number of nodes in Seed-CGs according to the selected snapshot size, ∆, for the parameter set c2. As expected, CGs contain only the seed event and few other nodes when selecting small ∆, e.g., lower than 1 min. On the other hand, the number of nodes increases with the snapshot size, peaking at more than 200 nodes on average with a 60 min snapshot. Interestingly, the number of object-paths and hostnames does not increase dramatically with higher ∆, proving the effectiveness of the Common Patterns Mining technique. The only node type showing higher inflation is the Server IP address, owing to malicious activities poking benign infrastructures hosted on Content Delivery Networks (CDNs).

Cycbot is a backdoor trojan that allows cyber-criminals to access infected computers remotely. This causes victims’ hosts to be exploited by malicious adversaries for large-scale attacks, and to potential leakages of personal sensitive information. Fig. 8 shows the CG of the event */ logo.png for which our oracle raises an alarm. Interestingly, more than 80 hostnames seem to serve the malicious file logo.png (cloud of orange circles in Fig. 8). All those hostnames have a third-level domain name exhibiting random strings that are made of both characters and numbers, and are hard to code with regular expressions. This technique, known as fast-flux, allows attackers to hide malicious infrastructures by generating hostnames that are registered to the DNS and lately removed with a high frequency. This makes the detection harder, circumvents blacklisting, and guarantees a longer reachability to the infrastructure. Considering only second-level domains, the number of hostnames drops to 10, each presenting an appealing name acting as a lure for potential victims, e.g., faststorageonline. com, phonegamescatalog.com, wwwmp3archives.com, etc. The entire set of domain names is hosted on few servers, heading to 5 IP addresses. Those IPs are not organized in a structured CDN and do not belong to the same subnet, suggesting for the usage of infected machines scattered in the network. The right part of Fig. 8 includes some benign objects. While those may seem false positives, this is not the case. Looking closer at the top of Fig. 8, it is easy to realize that contacted websites host services aimed at the discovery of the public IP address of the host. Such behavior is coherent considering the intent of the malware we are facing. Being a backdoor trojan, the infected client has to be reachable by the cybercriminals, but connectivity issues, e.g., hosts behind NATs or firewalls, might preclude the reachability of the victim.

Looking at the bottom-right part of the CG, we observe that the malware is checking Internet connectivity by visiting the www.google.com homepage, another test run by the malware to gather connectivity properties of the victim.

50.63.208.1

208.109.14.25

208.109.78.122

theuticashale.com www.symzer.com

www.tindellpictures.com

64.202.189.170

www.theuticashale.com themarcellusshale.com

/hey/wp−content/themes/instal/file.php /test_blog/wp−content/themes/instal/file.php

/wp−content/themes/spectrum/instal/file.php

/wp−content/themes/headlines/instal/file.php enabler−actris.ru

72.167.2.1 thegenieslamp.net

pastro.ru

B. Downloader.Dromedian Communication

Host_1

Host_2

stecdon.ru

Non−Existent Domain

/wp−content/themes/desk−mess−mirrored/instal/file.php /wp−content/instal/file.php

www.radburnd.com

Host_1

Host_2

cantst0pmenever.net

69.89.31.198

97.74.141.1

Non−Existent Domain /webhp /ADSAdClient31.dll www.google.com cantst0p24menever22.net

208.73.210.29

rad.msn.com 173.194.35.145 173.194.35.179 173.194.35.177 173.194.35.147 173.194.35.176 173.194.35.180 173.194.35.148 173.194.35.144 173.194.35.178 173.194.35.146

/wp−content/uploads/instal/file.php

advantageclubrockford.com 184.168.203.1 www.jlabmag.com

geta11y4214ouhave.net

/run/fox.php

bloggasaurus.com

/modules/mod_wdbanners/instal/file.php

hannaoverstock.com

cantst0pmenever2287.net

94.245.117.45 94.245.117.47

Fig. 9. CG for Downloader.Dromedian Communication trojan horse. Notice the presence of legitimate nodes being contacted by malware.

Downloader.Dromedan is a trojan horse that runs silently on the victim’s host, downloading and putting in execution additional threats. This malware connects to remote malicious infrastructures and C&C networks in order to fetch and execute additional malware and potentially unwanted programs (PUP). In most cases, it causes the redirection of ordinary web surfing traffic to malicious websites through the installation of toolbars in web browsers. Such toolbars force the user to visit certain contents in order to generate profit for malicious attackers. Fig. 9 shows the CG of the malicious event cantst0p24menever22.net/ run/ fox.php, which triggers the alarm related to the Downloader.Dromedian in our reference IDS. Two clients are infected and, in addition to the seed (red arrows), they both connect to www.google.com/ webhp repeatedly. While the Google webpage is not malicious per se, it is caused to frequently appear due to PUPs related to Conduit search hijacker. Several unwanted toolbars like Delta Search Toolbar, Social Search Toolbar, and Internet Helper Toolbar are related to Conduit search, and cause Google Webhp redirects by hijacking the browser settings. Looking at the top-right part of the CG, infected clients query three hostnames causing an error at the DNS resolver side, owing to the fact that the two exploited hosts try to connect to the remote malicious infrastructure. Our suspiciousness on such event is reinforced by the similarity of the queried hostnames with the successful one (i.e., cantst0p24menever22.net), and by the presence of numbers interleaving characters with a random fashion, possibly trying to avoid blacklisting. C. Mass Injection Website The Mass Injection Website attack does not target the host of the victim directly, but leverages vulnerabilities of legitimate

sotobetawi.com 72.167.232.149

itjustdawnedonme.com

www.creativelayer.net 74.220.215.92 66.147.240.173

Server Failure

ashishpal.com

67.205.50.171

173.245.60.16 173.245.61.81

cuteasabargain.com

97.74.144.115

72.167.3.128

Fig. 10. CG for Mass Injection Website attack. Notice all URLs containing “wp-content”, suggesting for a WordPress vulnerability being exploited my malicious adversaries. Victims are forced in a redirection chain through websites hosting Exploit Kits.

websites to inject malicious scripts and hidden iframes. In turn, users visiting compromised websites are victims of a redirection chain that forces them to visit third-party websites hosting Exploit Kits. Such Exploit Kits target potential vulnerabilities at the client side so that once the victim lands on the effective Exploit Kit, her machine gets infected as well. Fig. 10 shows the network behavior of two hosts being victims of the Mass Injection exploitation. Our oracle considers malicious only the seed bloggasaurus.com/ wp-content/ instal/ file.php but our CG is populated with other URLs all terminating with /instal/ file.php. Interestingly, many of those URLs also include the substring wp-content, suggesting for an exploited vulnerability in the WordPress blogging tool. Our suspiciousness is confirmed by the fact that both victim hosts exhibit the same identical behavior towards all the URLs depicted in the CG. The volume of issued requests is identical, and, considering the contacted URLs in a temporal sequence, it is possible to clearly spot repeated patterns over time, i.e., both hosts visit other URLs in a deterministic way. Moreover, such web pages host different kinds of content, ranging from newscast to music festivals and healthcare. Thus, it is almost impossible that two users visit the same pages, the same number of times, in the same order. This confirms the ongoing automated webscan the user is not aware of. VII.

R ELATED WORK

The increased ability of malware to spread and infect computers has led to vast amounts of research attempting to identify malware using the network traffic they generate. The work here presented is related to malware detection through graph-based approaches, and multi-protocol traffic correlation. Graph-based Malware Detection: In [9], the authors build a bipartite graph consisting of domain names of failed DNS queries and host issuing such queries. The intuition is that host infected by the same malware usually query for the same (or similar) set of domain names. Similarly, [10] proposes to build a relationship graph based on DNS historical data.

In this context, suspicious networks are identified by means of two graph measures: graph density and eigenvector centrality. In [11], malicious hosts are detected using a semisupervised, score-propagation algorithm that utilizes HTTPcommunication graph and flow information. All these approaches restrict their efforts to a specific protocol to identify the suspicious graph entities. Alternatively, our system uses the data gathered from multiple protocols to create the CG on which the malware patterns are identified. Multi-protocol Traffic Correlation: Many efforts have focused on the analysis of a single protocol to identify patterns displayed by malware. The popularity of HTTP has made it the preferred protocol for malware creators and, as such, the target for researchers to analyze and detect malware. [12] presents a system to identify malicious drive-by download activities by exposing the distribution networks necessary to distribute malware. Similarly, [13], [14] propose classifiers based on features from web domains and URLs. Systems that analyze the DNS protocol, usually look at failed DNS queries [15], [10], as this activity can lead to the existence of malware using domain generated algorithms (DGA). The problem with systems relying on a single protocol is their limited scope, as malware can switch among protocols, and the required semantic understanding of the particular protocol considered. In comparison, a seminal work evaluating multiple protocols is [16], where the lifecycle of botnets is modeled according to a set of phases. An interesting approach is used in [17], [18], where network traffic is presented through generic packet information such as length sequences and encoding differences, allowing to represent the malware activity observed in different protocols. All of these multi-protocol approaches have the limitation of targeting specific type of malware. Our approach is instead general and encompasses different malicious activities. We propose a graph based approach that extracts the behavioral commonalities from multiple clients with a seed event in common. VIII. C ONCLUSIONS We presented a system able to identify and correlate network events with malicious traffic. Starting from a seed, i.e., an alarm raised by a reference IDS, our system leverages both spatial and temporal recurrence of events and frames them in a Network Connectivity Graph, that is a focused representation of the malicious activities over multiple network layers. In contrast to other security tools, often providing atomic information on malicious attacks, our system delivers an enriched set of network activities related to malicious software running on victims’ hosts. Specifically, it is capable of spotting interactions between malicious and legitimate infrastructures, increasing the knowledge on the incident. We proved our approach is effective against different classes of malware, each showing peculiar behaviors and network patterns. In all cases, it provided a rich and interpretable characterization of the malicious activity, facilitating the understanding of malicious attacks and supporting the forensic activity of the security analyst.

R EFERENCES [1]

[2]

[3]

[4] [5]

[6]

[7]

[8] [9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

iMPERVA, “Assessing the effectiveness of antivirus solutions,” http://www.imperva.com/docs/HII Assessing the Effectiveness of Antivirus Solutions.pdf, 2012. R. Perdisci, I. Corona, D. Dagon, and W. Lee, “Detecting malicious flux service networks through passive analysis of recursive DNS traces,” in Computer Security Applications Conference, 2009. ACSAC ’09. Annual, 2009, pp. 311–320. M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of driveby-download attacks and malicious javascript code,” in Proc. of WWW, 2010. P.-N. Tan, M. Steinbach, and V. Kumar, Introduction to Data Mining, 2nd ed. Addison-Wesley, 2013. D. Gunopulos, R. Khardon, H. Mannila, S. Saluja, H. Toivonen, and R. S. Sharma, “Discovering all most specific sentences,” ACM Transactions on Database Systems (TODS), vol. 28, no. 2, pp. 140– 174, 2003. F. Pan, G. Cong, A. K. Tung, J. Yang, and M. J. Zaki, “Carpenter: Finding closed patterns in long biological datasets,” in Proc. of the 9th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2003, pp. 637–642. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, “Hypertext transfer protocol - http/1.1,” Tech. Rep., 2006. P. Mockapetris, “Domain names - concepts and facilities,” Tech. Rep., 2003. N. Jiang, J. Cao, Y. Jin, L. Li, and Z.-L. Zhang, “Identifying Suspicious Activities Through DNS Failure Graph Analysis,” in Network Protocols (ICNP), 2010 18th IEEE International Conference on. IEEE, 2010, pp. 144–153. Y. Nadji, M. Antonakakis, R. Perdisci, and W. Lee, “Connected colors: Unveiling the structure of criminal networks,” in Research in Attacks, Intrusions, and Defenses. Springer, 2013, pp. 390–410. L. Liu, S. Saha, R. Torres, J. Xu, P.-N. Tan, A. Nucci, and M. Mellia, “Detecting Malicious Clients in ISP Networks Using HTTP Connectivity Graph and Flow Information,” in Advances in Social Networks Analysis and Mining (ASONAM), 2014 IEEE/ACM International Conference on. IEEE, 2014, pp. 150–157. L. Invernizzi, S. Miskovic, R. Torres, S. Saha, S.-J. Lee, C. Kruegel, and G. Vigna, “Nazca: Detecting Malware Distribution in Large-Scale Networks,” in Proc. of the ISOC Network and Distributed System Security Symposium (NDSS ’14), Feb 2014. P. K. Manadhata, S. Yadav, P. Rao, and W. Horne, “Detecting malicious domains via graph inference,” in ESORICS 2014. Springer, 2014, pp. 1–18. A. Le, A. Markopoulou, and M. Faloutsos, “PhishDef: URL names say it all,” in Proc. of the 30th IEEE International Conference on Computer Communications, 2011, pp. 191–195. M. Antonakakis, R. Perdisci, Y. Nadji, N. V. II, S. Abu-Nimeh, W. Lee, and D. Dagon, “From throw-away traffic to bots: Detecting the rise of DGA-based malware,” in Proc. of USENIX Security Symposium, 2012, pp. 491–506. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter: detecting malware infection through IDS-driven dialog correlation,” in Proc. of the 16th USENIX Security Symposium, 2007, pp. 12:1–12:16. C. J. Dietrich, C. Rossow, and N. Pohlmann, “Cocospot: Clustering and recognizing botnet command and control channels using traffic analysis,” Computer Networks, vol. 57, no. 2, pp. 475–486, 2013. J. Franc¸ois, S. Wang, R. State, and T. Engel, “Bottrack: tracking botnets using netflow and pagerank,” in NETWORKING 2011. Springer, 2011, pp. 1–14.

Network Connectivity Graph for Malicious Traffic ...

poll the mail server, and upload files on a cloud storage service, ... 1. Example of events generated by a host as seen from the network. Graph (CG), which ...

612KB Sizes 2 Downloads 41 Views

Recommend Documents

Network Connectivity Graph for Malicious Traffic Dissection - PORTO ...
For instance, the same host could visit a legitimate web page, poll the mail server, and .... Algorithm 1 Create Network Connectivity Graph. input args s: seed.

Data-driven network connectivity - Research at Google
not made or distributed for profit or commercial advantage and that copies bear this notice and ..... A distributed routing algorithm for mobile wireless networks.

Sensory-motor brain network connectivity for speech ...
Sep 24, 2009 - computer. Subjects were ... thickness, 6 mm; and no gap; 365 functional volumes con- ..... Our study supports this view by describing the net-.

Survey on Internet Connectivity for Mobile Ad Hoc Network
(Wi-Fi) network adapters enable the spontaneous creation of city-wide MANETs. These networks could then constitute the infrastructure of numerous applications such as emergency and health-care systems, groupware, gaming, advertisements, etc. As users

A Network Traffic Reduction Method for Cooperative ...
Wireless positioning has been providing location-based ser- vices in ... Let us consider a wireless network with two types of ..... Cambridge University Press,.

Thoughts on a Recursive Classifier Graph: a Multiclass Network for ...
Apr 2, 2014 - Each classifier operates over its dedicated region, at a given location and scale ...... videos on the internet, represent weak labels that could be.

Thoughts on a Recursive Classifier Graph: a Multiclass Network for ...
Apr 2, 2014 - unsupervised clustering and organization of the training data. (Section 4). ...... ents, color, word counts, subspace and frequency analysis,.

Host Measurement of Network Traffic
Host Measurement of Network Traffic. DongJin Lee and Nevil Brownlee. Department of Computer Science. The University of Auckland.

Connectivity
Free data available for 2 years from the time you first activate your 3G service. 2. A day pass offers unlimited data access for 24 hours from the time of data purchase. 3. Any purchase of additional data expires after 30 days from the date of data p

Connectivity
Broadband service for 2 years, provided by Verizon Wireless. Also available are an unlimited day pass for just $9.99 and pay-as-you-go rates that are.

Read Network Traffic Anomaly Detection and Prevention
Networks) Free PDF Download, Read Online Network Traffic Anomaly ... and Tools (Computer Communications and Networks) Free Online, Network Traffic .... were sometimes Search the world s information including webpages images ... of the fundamental the

[PDF] Download Network Traffic Anomaly Detection ...
Sep 5, 2017 - Prevention: Concepts, Techniques, and Tools (Computer ..... depth analysis of systems and methods. Readers ... and data mining in security.

Filtering Network Traffic Based on Protocol ... - Fulvio Risso
Let's put the two together and create a new automaton that models our filter tcp in ip* in ipv6 in ethernet startproto ethernet ip ipv6 tcp http udp dns. Q0. Q3. Q1.

Traffic Based Clustering in Wireless Sensor Network
Traffic Based Clustering in Wireless Sensor. Network ... Indian Institute of Information Technology ... Abstract- To increase the lifetime and scalability of a wireless.