Network Connectivity Graph for Malicious Traffic Dissection Enrico Bocchi? , Luigi Grimaudo? , Marco Mellia? , Elena Baralis? , Sabyasachi Saha† , Stanislav Miskovic† , Gaspar Modelo-Howard† , Sung-Ju Lee ? Politecnico

di Torino {name.surname}

† Symantec,

Corp. {name surname}

Abstract—Malware is a major threat to security and privacy of network users. A huge variety of malware typically spreads over the Internet, evolving every day, and challenging the research community and security practitioners to improve the effectiveness of countermeasures. In this paper, we present a system that automatically extracts patterns of network activity related to a specific malicious event, i.e., a seed. Our system is based on a methodology that correlates network events of hosts normally connected to the Internet over (i) time (i.e., analyzing different samples of traffic from the same host), (ii) space (i.e., correlating patterns across different hosts), and (iii) network layers (e.g., HTTP, DNS, etc.). The result is a Network Connectivity Graph that captures the overall “network behavior” of the seed. That is a focused and enriched representation of the malicious pattern infected hosts exhibit, purified from ordinary network activities and background traffic. We applied our approach on a large dataset collected in a real commercial ISP where the aggregated traffic produced by more than 20,000 households has been monitored. A commercial IDS has been used to complement network data with alerts related to malicious activities. We use such alerts to trigger our processing system. Results shows that the richness of the Network Connectivity Graph provides a much more detailed picture of malicious activities, considerably enhancing our understanding.



Information security over the Internet remains a primary concern for consumers, enterprises, and governments alike. Malware infiltrates and spreads over the Internet hiding its traffic among humongous benign traffic. Cyber-attackers also use sophisticated schemes to modify malware and evade detection by security measures. Recent industry reports disclose that existing antivirus software’s detection rate of newly crafted viruses is less than 5% [1]. This creates a de facto arm’s race between security researchers and cyber-attackers. Practitioners in the field take different approaches to detect malware, which result in a set of methodologies ranging from instruction set and code analysis, to traffic characterization of infected hosts. For instance, a detection rule can be designed by studying the behavior of infected hosts in a controlled environment (e.g., a honeypot). In this scenario, it is possible to identify the communication channel with the Command and Control (C&C) network, or define signatures for proprietary and obfuscated protocols used by malicious software.


[email protected]

However, it is generally more complicated to obtain a complete picture of the overall malware behavior due to the evolution of malware itself to circumvent counteractions, and the lack of tools that easily extract facts related to malicious activities. Thus, to obtain a thorough and up to date picture, security specialists are called to a manual and cumbersome analysis of data produced by infected hosts in the wild. In this paper, we present a methodology to automatically extract detailed network patterns generated by infected hosts. We consider the vantage point offered by a network where the traffic aggregate of thousands of possibly infected hosts flows. A passive monitoring tool extracts and logs events from the traffic. An event could be a HTTP request, a DNS response, or simply a TCP flow going to a host using an unknown protocol. A security monitor, e.g., an Intrusion Detection System (IDS), analyzes the traffic in parallel, and flags some of the events as malicious, according to a database of already available rules. These flagged events are the seeds that trigger our analysis. Given the traffic log and a seed, our system provides a set of “forensic” information to the security analyst for a better understanding of the context in which malicious events take place. Ultimately, it extracts a detailed and complete picture of the malicious activities correlated with the seed event. Identifying the subset of events that belongs to the same activity is a challenging task as each host generates thousands of events caused by multiple applications running concurrently. For instance, the same host could visit a legitimate web page, poll the mail server, and upload files on a cloud storage service, while a malware is connecting to a C&C node that instructs victims with new malicious instructions. Furthermore, the sequence at which events appear is typically not deterministic with randomness due to diversity (e.g., two hosts visiting the same page can fetch objects in a different order), and system memory (e.g., a DNS request not appearing in the traffic as the server name has been previously resolved and cached). Our approach is based on a filtering and enrichment process that leverages (i) temporal and (ii) spatial repetitiveness of events generated by different hosts. The intuition is to look for common patterns that are present in different snapshots from the same host, and among different hosts. We explicitly go after repetitive and popular events. In practice, as few as three observations of a malicious seed are enough to trigger our methodology. The result is offered as a Network Connectivity

HTTP event

malicious activity

binary download obfuscated JS

successful domC DNS req.

failed DNS req.

host tra normal activity

Fig. 1.

DNS event Tra

generic TCP/UDP event

c to domC (C&C) failed DNS req.


c to domC (C&C) failed DNS req.

se time

c click on email check

Observation Snapshots Common Patterns Extraction Mining

normal browsing activity

normal browsing activity




Host traffic



Host Connectivity Graph (Host-CG) Creation



email check

Example of events generated by a host as seen from the network.

Graph (CG), which models only events highly correlated with the seed, and allows us to easily navigate and extract valuable information using our domain knowledge. We start from real traffic collected in an operative network where more than 20,000 households are monitored. In a day, more than 336 M events are logged by the passive monitoring tool. A commercial IDS rises alarms for 1,700 unique malicious seeds, generating 42,000 events and belonging to more than 150 different threats. Out of those events, about 40,000 (95%) are processed by our system as they show the required properties of repetitiveness. For each seed, we run the filtering and enrichment process. At the end, the information offered in the final CG grows by a factor of 40, i.e., starting from a single seed, which is represented by three nodes in the CG, 160 nodes are present on average in the final CG. Visual inspection allows us to immediately spot (i) the malicious infrastructure (e.g., the presence of new C&C nodes), (ii) malicious attacks interfering with legitimate infrastructures (e.g., the exploitation of benign websites to force the download of Exploit Kits), and (iii) some evasion techniques adversaries uses (e.g., the usage of DNS fast-fluxing [2]). The contributions of our work are as follows: • We propose a methodology that extracts and represents the network activity surrounding a malicious seed, which is useful to identify and derive a detailed superset of events correlated to it. • We take a multi-layer approach that combines the connectivity between different protocol layers to uncover hidden behavior and provide forensic information. • We offer the information in the form a Network Connectivity Graph, that is a straightforward means to represent the common activity of malicious incidents. We believe that applications of the CG go beyond the simple visualization of the malicious activity. For instance, signatures of the IDS can be updated and enriched, or the CG can be used as a signature itself to design novel behavioral classifiers able to distinguish between CGs derived from malicious or benign seeds. We leave these contributions as future work. II. M ETHODOLOGY OVERVIEW Before presenting the details of our system, we provide an overview and the intuitions behind its design. A. Scenario We consider a scenario in which a sniffer passively monitors the traffic generated by a large group of hosts, e.g., hosts in

Fig. 2.

Host Connectivity Graph generation.

an enterprise network, or households connected to a Point of Presence (POP) of an Internet Service Provider (ISP). The sniffer extracts information from the packets and logs them in a file where each row corresponds to a different event. We assume that, for each TCP and UDP connection, the sniffer logs the flow identifier, the timestamp of the first packet, the flow duration, the number of exchanged packets and bytes, etc. For some protocols, the sniffer can provide multiple events with very detailed information. For instance, it could annotate each HTTP request/response with the requested URL, useragent, content-type, server response status code, etc. Consider the timeline generated by a host reported in Fig. 1. It details the logged events generated by Internet applications. DNS and HTTP events are reported using specific markers, while other protocols are reported as generic TCP/UDP events. The user is visiting some web page (e.g., while an email client is polling a mail server for new messages. Normal events are reported in the bottom part of the timeline. Unfortunately, is hosting a Drive-by Download page. Events on the upper part are due to the malicious activity in which the host is unknowingly fooled to download a malware from a malicious JavaScript contained in the web page. We observe the download of the JavaScript object, followed by the download of the malware. Once running at the host, the malware periodically contacts (via HTTP) a C&C server whose hostname is quickly rotated using fast-flux [2]. The periodic polling is visible in the log as a sequence of (failed and successful) DNS requests, and HTTP traffic to the C&C node. Based on the view of the traffic from all monitored hosts, we design a methodology that extracts and characterizes common network activities. The challenge is how to isolate the events that are possibly correlated with a specific malicious activity from the “background” noise caused by other events. B. Network Connectivity Graph Consider a seed and the timeline around it. Intuitively, closein-time events are likely to be related to it. For instance, in Fig. 1, the DNS request followed by several HTTP requests to the server could be identified as a typical pattern. However, Drive-by Download attacks [3] can mimic or be hidden in the same behavior. To isolate them, we study snapshots of traffic that contain the specific seeds. Fig. 2 shows the workflow used to transform the events of a given host into a Host Connectivity Graph (Host-CG). Three steps are executed: (i) Snapshots extraction; (ii) Perlayer common patterns mining; and (iii) Host-CG creation.

Algorithm 1 Create Network Connectivity Graph. input args


s: seed H: set of hosts ∆: snapshot duration Seed Connectivity Graph

1: procedure graphLayer (s, S, layer): 2: P = findCommonPattern (s, S, layer) 3: return fromPatternsToGraph (P, layer)

i th snapshot

i th snapshot

i+1st snapshot

i+1st snapshot > T/2

merged snapshot

11: procedure seedConnectivityGraph (s, H, ∆): 12: Gs = ∅ 13: foreach h ∈ H: 14: Gs ← hostConnectivityGraph (s, h, ∆) 15: return fuseGraphs (Gs )

Snapshots Extraction. For each instance of the seed, we extract a snapshot defined as the ordered set of events occurring in the temporal window centered at the seed. Two snapshots are presented in Fig. 2 as example. Common Patterns Mining. We then look for commonalities across snapshots. In particular, we look for patterns, defined as the unordered set of events, that appear across multiple snapshots. Intuitively, the periodic HTTP requests toward the C&C server would possibly be a repeating pattern on the HTTP-layer. On the contrary, the web browsing events asynchronously generated by the host would be present only in a small subset of snapshots. We extract separate common patterns by processing the host traffic considering layers in isolation. The traffic generated on each layer corresponds to all events of a specific protocol so that HTTP, DNS, other-TCP (i.e., all TCP communication except HTTP on port 80), and other-UDP (i.e., all UDP communication except UDP on port 53) events are separately analyzed. This choice originates from the fact that each protocol has some peculiarities that we would leverage. For instance, in the HTTP layer, we are looking for common and repetitive patterns. On the DNS layer instead, a single failed DNS request may be more interesting than successful DNS requests. Host Connectivity Graph. For each layer, we represent the common pattern as a graph where nodes and edges are specifically defined to offer a compact yet rich representation. Consider the HTTP-layer. URLs can be represented by separating server hostnames and object paths using two nodes: An edge between the hostname and the path would thus represent a URL. The resulting graph captures the website structure. For example, and are represented with a hostname node ( and two objects nodes. Similarly, in the DNS layer, the request for is linked to the IP address(es) returned by the resolver.

i th snapshot i+1st snapshot

Fig. 3. 4: procedure hostConnectivityGraph (s, h, ∆): 5: S = getSnapshots (s, h, ∆) 6: gHT T P = graphLayer (s, S, ’HTTP’) 7: gDN S = graphLayer (s, S, ’DNS’) 8: gT CP = graphLayer (s, S, ’TCP’) 9: gU DP = graphLayer (s, S, ’UDP’) 10: return connectLayers (gHT T P , gDN S , gT CP , gU DP )

< T/2

Snapshots creation when consecutive snapshots overlap.

As last step, we connect each per-layer graph into a final Host Connectivity Graph. This is done by adding links across multiple layers. For instance, the hostname in the HTTP layer is linked to the same node in the DNS layer graph. The resulting graph is a rich and compact representation of the common network activity related to a specific seed and a given host. Each layer brings a specific characterization of the activity given by a protocol, resulting in an overall integration of common patterns. In the previous example, the HTTP layer highlights the common websites hosting the binary download, while the DNS layer reveals failing requests triggered before or after C&C communications. Focusing only on each activity individually would miss such relationship. Seed Connectivity Graph. We leverage the fact that the same seed may be present in the timeline of different hosts, offering some “spatial” diversity. To have a broader view of the common activity related to a specific seed, we “fuse” multiple Host-CGs into a single Seed Connectivity Graph (Seed-CG). As for the common pattern, we have the freedom to choose between a selective fusion, e.g., retaining only those common nodes from all Host-CGs, or a permissive fusion, e.g., merging all nodes from all Host-CGs. III. B UILDING THE C ONNECTIVITY G RAPH The key aspect of the proposed methodology is the approach used to create Network Connectivity Graphs. The pseudo-code in Alg. 1 details this procedure. This section discusses the design choice taken and the parameters to be controlled when creating a network connectivity graph. A. Snapshots Extraction The first step to process host traffic is the extraction of the observation snapshots. We define parameter ∆ that controls the duration of the snapshots. In particular, a snapshot is composed by all events occurring in the interval ±∆/2 centered around the seed. In case consecutive snapshots overlap, we apply two strategies depicted in Fig. 3 to solve the conflict. If the overlapping window lasts for more than ∆/2, the two snapshots are merged. Otherwise, the overlap is split into two halves, each associated to a different snapshot. These operations are executed by getSnapshots() (Alg. 1 line:5) that receives the seed (s), a host (h) presenting at least one instance of the seed, and the snapshot duration (∆) as inputs. It returns the set of snapshots (S) found. Different values of ∆ can lead to different results: the larger the ∆ (e.g., hours), the more the snapshots will merge. This


results in less snapshots on which to perform pattern mining, with each presenting “noisy” data since not many events are filtered. Conversely, a small value of ∆ (e.g., seconds) might be too conservative. In the following, we set ∆ = 30 minutes. A complete sensitivity analysis is reported in Sec. V-B.


host IP


host IP

B. Common Patterns Mining We use the frequent itemset mining technique to extract common patterns [4]. This technique works on unordered sets of simple objects (e.g., strings). Snapshots, however, correspond to ordered sequences of events that may appear multiple times. We thus map each event to an item based on the event properties. Specifically: • a HTTP item is represented by the HTTP URLs, e.g., http:// path/ file.ext. • a DNS item combines the requested hostname with either the list of returned IP addresses, or the query response code, e.g.,–NXDomain. • TCP and UDP items are represented by the server IP address and the port contacted, e.g.,–443. For each snapshot, we create a transaction containing the set of distinct items. We look for common itemsets, i.e., sets of items common across multiple transactions. A support value is computed for each itemset and indicates the fraction of transactions containing the specific itemset. An itemset is “frequent” if its support is greater than or equal to MinSupport. For a given support value, the itemset presenting the highest number of items is said to be closed. The closed attribute implies that no other itemset made by more items has the same support. Itemsets with a number of items smaller than MinLength could be discarded. By setting MinLength=1, frequent itemsets are equivalent to simple frequent items in terms of Connectivity Graph elements. For MinLength=2, at least pairs of items are considered. For instance, consider and that appear in 70% and 45% of snapshots, respectively. The itemset (, png) may appear from 15% to 45% of snapshots. Looking for all itemsets is a NP-hard problem [5], but wellknown algorithms compute frequent closed itemsets efficiently. Among those, we rely on the Carpenter algorithm [6], which is specifically designed for datasets made of few transactions (i.e., snapshots) that have a huge number of items (i.e., events). Our system looks for frequent closed itemsets that, for simplicity, we call patterns. Patterns are extracted by findCommonPatterns() (Alg. 1 line:2), that receives the seed (s), the set of snapshots (S) and the layer (layer) to process. It returns the pattern (P). The pattern extraction process is guided by the definition of the value of MinSupport, i.e., events that do not appear with frequency of at least MinSupport are discarded. We set MinSupport = 1/2, i.e., for each host, we discard all events not appearing in at least half of the snapshots. Sensitivity analysis is detailed in Sec. V-B. C. Host Connectivity Graph As previously discussed, we individually process each layer to create separate graphs. The graphLayer() (Alg. 1 line:1)


dst-port Oth-TCP &

host IP

Fig. 4.


Graph layers nodes and multi-layer connections.

extracts patterns for a specific layer and maps them into a graph. This mapping exploits a subset of the events properties: • The HTTP layer has two node types: hostnames and object paths. An edge connects the hostname and the object path to compose a URL. • The DNS layer has three node types: server hostnames, server IP addresses, and DNS error codes. An edge connects the hostname to either the IP addresses returned by a DNS response, or to an error code. • The TCP and UDP layers have two node types: server IP addresses and server ports. An edge connects the two to represent a TCP or UDP connection. Different graph layers are combined in a single Host-CG using hostConnectivityGraph() (Alg. 1 line:4). The function starts by extracting the snapshots (S) related to the seed. The snapshots are then processed to extract the graph layers (gHT T P , gDN S , gT CP , gU DP ) through calls to graphLayer(). The separate layers are finally integrated to form the Host-CG using the collectLayers() function, which looks for common nodes across the layers and links them as represented in Fig. 4. Notice that each graph layer contains the host (h) IP address by construction. D. Seed Connectivity Graph To provide the global view of the common behavior seen by observing multiple hosts, we combine all Host-CGs. This operation is performed by the seedConnectivityGraph() (Alg. 1 line:11) function. For each host (h) among the subset presenting the seed (H), the function creates the Host-CG calling hostConnectivityGraph(). All the output graph are collected into the set Ghosts . The graphs are finally merged using fuseGraphs(). This operation can consider different strategies. For instance, applying a strict intersection would retain only nodes appearing in all Host-CGs. In the worst case, this results in a Seed-CG containing only the original seed. More complex strategies can instead compute nodes and links popularity among hosts, and discard those below the threshold MinPopularity. In the following, we consider the strict intersection across Host-CGs as the default choice, i.e., MinPopularity=1.


Class HTTP DNS Other TCP Other UDP

Hosts (%) 16,217 (79.1) 15,164 (74.1) 18,911 (92.31) 18,032 (88.02)

Events (%) 39.7 30.7 40.8 224.7

M (11.8) M (9.3) M (12.14) M (66.87)

Flagged Hosts Events 1,308 31 -

42,007 1,543 -



All Flags

0.8 0.6 0.4 0.2 0


335.9 M

10 100 1K 100K URL Popularity Rank


(a) Popularity of HTTP objects.

IV. DATASET We now describe the traffic traces and tools that we use to extract information to build the dataset that we use. A. Data Collection We consider a vantage point located in a commercial ISP where approximately 20,000 customers are connected. Most of the customers are residential users, connected via ADSL modems to the monitored point. Each customer modem is given a static IP address, which can be used to identify all the traffic generated/destined to the same household. In the following, we generalize the term “host” to refer to traffic exchanged by a single household (IP address).1 We consider a trace obtained live during one day in April 2012. A commercial monitoring tool processed the packets in real time to generate a text log file in which each TCP and UDP flow is logged. For each flow, a record is stored. It details the flow identifier (the tuple source/destination IP addresses, source destination ports and protocol type), the timestamp of the first packet, the total number of packets/bytes sent and received, the application-protocol used. In case protocol is HTTP, the entry is annotated with server hostname, object path, user-agent, content-type, response status (e.g., 200 OK), content-length directly extracted from the HTTP header[7]. In case multiple HTTP objects are fetched using the same TCP flow (e.g., due to HTTP-persistent), multiple records are logged. Similarly, for each DNS transaction, the tool logs the requested hostname, the set of returned IP addresses, or the response code in case of an error (e.g., NXDomain) [8]. To protect users privacy, sensitive information has been removed. In parallel to the monitoring tool, a commercial IDS processed the packets in real time, logging alerts if some network activity matches any rule that is present in its database. We consider the IDS as an oracle that reveals which events are to be considered malicious. For each alert, the IDS simply specifies the flow identifier, and a threat-ID, i.e., a numerical code that identifies a particular threat. The IDS is very conservative in triggering alerts and hence it is possible that some malicious events do not trigger any alert. Conversely, every alert is related to some malicious activity. B. Dataset Overview We consider each record in the log as a different event. By matching the flow identifiers, alerts are linked to records, so 1 Given the popularity of NAT (Network Address Translation) at home, the ADSL modem IP address identifies traffic exchanged by all devices accessing the Internet at each customer household.



1 1


Number of snapshots


1 Fract. of hosts



10 50 236 Malicious seeds


(b) Snapshots per malicious events.

Fig. 5. Dataset characterization. (a).Top-100 HTTP objects are whitelisted (b).Seeds generating at least 3 snapshots are processed by our system.

that records can be flagged as malicious. We obtain the labeled dataset described in Table I. Overall, 20,486 hosts generated about 336 M total events over the whole day. About 20% of those are related to HTTP and DNS records, with a large majority of the “Other TCP” due to TLS/SSL (HTTPS) traffic, and “Other UDP” events due to Peer-to-Peer applications. Among all users, 6.4% exhibit some malicious activity (i.e., at least one event is flagged), with 151 different threat-IDs being reported by the IDS. Yet, only 43,550 flags are raised by the IDS. That translates to a negligible 0.013% of all traffic. Most of these records correspond to HTTP traffic, with the exception of some IRC and RPC flows. This confirms on the one hand the very stealthy and low rate activity that malware is typically generating. On the other hand, it confirms the conservative design of IDS. Almost all the flags are related to malicious HTTP activities including Exploit Kits (e.g., Nuclear, Blackhole, ZeroAccess), Drive-by Downloads, Malicious Browser Toolbars (e.g.,, Trojans and Worms (e.g., Skintrim, Conficker), etc. C. Whitelisting Whitelisting is a common technique used to both reduce the amount of information processed, and to discard data that would possibly pollute the analysis. For the same purposes, we built a whitelist that targets very popular events that would be in any CG with high probability but add little information or create noise. Instead of creating a manual list of popular and benign events, we opt for a dynamic and context-aware approach. We build a whitelist based on events popularity among clients, and select the top-k elements to be ignored during the processing. We whitelist single HTTP events and not the entire websites, as it is known that malware can be hosted and distributed also from legitimate services. Fig. 5(a) shows the HTTP events popularity, i.e., the fraction of hosts that accessed a given URL (with stripped parameters). Note the log scale on x-axis. Fig. 5(a) shows the classic heavy tailed popularity. Top URLs are clearly very common among most of the hosts. Those include social network buttons (e.g.,, analytics services (e.g.,, software update check (e.g.,, etc. Red triangles highlight those events that are considered malicious by the oracle. The most diffused /imp /aclk /st /hphotos−ak−ash4/s480x480/305686_124047664394691_100003683737472_117565_1405113608_n.jpg /hphotos−ak−snc6/162760_100870769990903_100002039403380_3276_6683956_n.jpg /hphotos−ak−snc6/166491_100870679990912_100002039403380_3271_1256366_n.jpg s− /hphotos−ak−snc6/168295_100870983324215_100002039403380_3288_2837125_n.jpg /gampad/google_ads.js /gampad/ads /pagead/ads /J−LO−SENZA−VELI /hphotos−ak−snc6/167762_100870886657558_100002039403380_3283_6414957_n.jpg /hphotos−ak−prn1/543248_392848557414345_100000676125796_1237183_584277678_n.jpg /AdServer/Pug /hphotos−ak−snc7/397114_2297940533274_1391961887_31960151_2130872344_n.jpg /hphotos−ak−snc7/s320x320/35748_1314916158279_1391961887_30755830_7309748_n.jpg /hphotos−ak−ash4/215066_236767333022469_100000676125796_776912_6410724_n.jpg /hphotos−ak−snc6/166471_100870846657562_100002039403380_3280_4563298_n.jpg /def/def/showdef.asp /pagead/osd.js /pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl s− /hphotos−ak−ash3/s320x320/560389_368385103213436_274145419304072_1066671_982264355_n.jpg /hphotos−ak−snc7/p480x480/306287_260184937404315_100002384311499_585262_464373497_n.jpg /call/pubj/23794/161296/9988/M/188733587/[target] /hphotos−ak−snc7/s320x320/320445_147841755305301_100002384311499_277577_527423870_n.jpg /hphotos−ak−prn1/s320x320/548687_258635134225962_100002384311499_580539_1826389881_n.jpg /proxy.html /common/loader.js /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTczMTQwXzEwNzk0NzMwNDhfMTA0MjM0MzMwMF9xLmpwZw== /pagead/show_ads.js /ajax/desktop/promo_action.php /hphotos−ak−ash3/166134_100870753324238_7546385_n.jpg /hphotos−ak−ash4/252972_217916978240838_100000676125796_704122_2698621_n.jpg /common/ifpc/ifpc.js /hphotos−ak−snc6/254706_236767246355811_100000676125796_776911_5097146_n.jpg /zbar/v2/prod/promo/10b6759227632508bdd2b98befd130f1.png /hphotos−ak−snc7/s320x320/319684_164170577005752_100002384311499_332478_1542917955_n.jpg /a/diff/431/1614607/show2.asp /hphotos−ak−ash3/166353_100870906657556_100002039403380_3284_370331_n.jpg /100001281214666/picture /js/BrightcoveExperiences.js /plugins/likebox.php /call/imppix2/1614607/6067880/161296/ /ajax/home/generic.php /gampad/google_service.js /hphotos−ak−snc6/167640_100870923324221_100002039403380_3285_5112154_s.jpg /js/APIModules_all.js /v41818/flyers/10/45/1331037950447089624_1_32ec06f3.jpg /hphotos−ak−snc6/251107_218015671564302_100000676125796_704564_4039342_a.jpg /hphotos−ak−ash4/p480x480/396320_201272136628929_100002384311499_436878_1197544203_n.jpg /hphotos−ak−snc6/168405_1542754974107_1391961887_31242937_5690651_n.jpg /hphotos−ak−snc6/165340_100870689990911_100002039403380_3272_144908_n.jpg /hphotos−ak−ash4/380601_383177018381499_100000676125796_1208366_452298874_n.jpg /atoms/b2/ef/60/aa/b2ef60aa8eee15f6653fa9fd126a0158.swf /atoms/d6/e5/df/64/d6e5df64c6f41855a9c5c291a1581435.swf /common/xhr/xhr.html /hphotos−ak−prn1/s320x320/523728_368382996546980_274145419304072_1066665_593235360_n.jpg /pixel.gif /hphotos−ak−snc7/p480x480/387741_347783011903361_303873256294337_1576722_338016840_n.jpg / /pxgcm /attachments/messaging_upload.php /v565063/flyers/11/12/13333849592081278675_1_4170ffde.jpg /hphotos−ak−ash4/185575_237075009658368_100000676125796_778056_1909867_n.jpg /pixel /call/pubj/23794/161296/9988/M/1396855733/[target] /hphotos−ak−ash3/s480x480/529164_124047717728019_100003683737472_117566_602560002_n.jpg /v565063/flyers/100/9/13341347411126686376_1_10e889ae.jpg /hphotos−ak−snc6/185218_236766699689199_100000676125796_776909_6410623_n.jpg fbcdn−profile− /zbar−new/zoom_data.php /api/2/0/promos2/ /v565063/flyers/89/6/1334580171885480086_1_db43806e.jpg /hphotos−ak−snc7/s320x320/409592_2640210998587_1054900399_32483285_658182361_n.jpg /zbar/v2/prod/promo/6dddf4bc376a571b83acd23be1726826.png /hprofile−ak−snc4/368866_100003083532122_122744866_q.jpg /www/app_full_proxy.php /ajax/ticker.php /s/3v0Jm8D 443 /rsrc.php/v1/yl/r/doKTwlK_4p−.png /zbar/v2/prod/promo/1bccf069eaa886043321af9a5dfe808c.png /js/ /v41818/flyers/12/21/13052912501854769801_1_b514edeb.jpg /hphotos−ak−snc6/165328_100870966657550_100002039403380_3287_75996_n.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTcyMzU1XzEwMDAwMTAzMTQ4NzIyNV8xMjUwODgwMzY0X3EuanBn /v41818/flyers/45/40/13319072851976627087_1_03bb43c5.jpg /ai.php /hphotos−ak−ash3/p480x480/551133_258935747529234_100002384311499_581374_900259184_n.jpg /hprofile−ak−snc4/161361_100001529221773_1400922524_q.jpg /v41818/flyers/20/38/1328039416941196961_1_f76c8385.jpg /hphotos−ak−ash4/p480x480/401257_390370997644392_871039186_n.jpg /hphotos−ak−ash4/226080_237075302991672_100000676125796_778058_2105475_a.jpg /v565063/flyers/15/0/13331109291602475720_1_af1d73d0.jpg /hphotos−ak−snc6/185298_235845599781309_100000676125796_773383_1963093_n.jpg /css/theme.css /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDE1NTVfMTAwMDAyNzg1MTE0MzQ3XzE2NTIzMDUzODdfcS5qcGc= /hprofile−ak−snc4/273313_100002391319490_258078382_q.jpg /1542228796/picture /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG%2BEAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQCIlxeR%2B%2FbOSSAmjN9qCoJf /1491064533/picture /world.php /v41818/flyers/2/40/13310379501239845211_1_697f2c4b.jpg /js/functions.js /tap.php /img/Agatha_Ruiz_De_La_Prada.png /hphotos−ak−ash3/s320x320/524006_368384226546857_274145419304072_1066669_1925081023_n.jpg zynga2− /id /ajax/feed/ticker/flyout.php /zlive/zoom/latest−prod/js/zoom.js /photos−ak−snc1/v27562/71/291549705119/app_1_291549705119_514.gif /1155371715/picture /static/fanpage/img/gossip/socialcats/33c3703f58f47be96aa1ff74368233d5_1287501759−50x50.jpg /100000002251435/picture /api/2/0/counters/ /poker/image_proxy.php/aHR0cHM6Ly9mYmNkbi1wcm9maWxlLWEuYWthbWFpaGQubmV0L2hwcm9maWxlLWFrLXNuYzQvMjYwNjA4XzE0MjYyMDUzNDZfMTU5OTMxNzc1NF9xLmpwZw== /translate_a/st /v41818/flyers/33/43/1327394312544141178_1_ee174501.jpg /photos−ak−snc1/v43/139/131394766951111/app_1_131394766951111_9896.gif /hphotos−ak−prn1/562507_392905357408665_100000676125796_1237232_2000035560_n.jpg /ajax/photos/photo/tags/tags_album.php /messages/1039827183 /poker/img/shouts/004_straightarrow_100.png /hphotos−ak−prn1/560213_383177031714831_100000676125796_1208367_1998403977_a.jpg /zbar/v2/prod/promo/75ff52b6586ba903bd8770e14fe219e5.png /hprofile−ak−snc4/161772_1642887381_1054411433_q.jpg /v41818/flyers/49/40/1330020635284680475_1_9ef4d62b.jpg /v565063/flyers/51/5/1334591253175796218_1_28f3b677.jpg /img/Le_Nuove_Nuvette.gif /img/Nuvenia_nuvette.png /plugins/like.php /sound_iframe.php /rsrc.php/v1/y9/r/KeqeJ6N1uam.js /hphotos−ak−snc6/164070_100870786657568_100002039403380_3277_814796_n.jpg /hprofile−ak−snc4/174144_1749634255_183741169_q.jpg /100002069787737/picture /img/sfondi_del_computer_gratis.gif zynga1− /l.php /hprofile−ak−snc4/157150_100000333087281_869301305_q.jpg /hprofile−ak−ash2/174160_100001205693619_1868980530_q.jpg /api/2/0/friends/ /hphotos−ak−ash4/252972_217916978240838_100000676125796_704122_2698621_a.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTc0MDEyXzE2NTQ3NjMxOTZfOTYyNjcxMTkxX3EuanBn /message−center/xpromoTrack.php /recv.php /ajax/libs/jquery/1.3/jquery.min.js /1379836228/picture /photos−ak−snc1/v85006/195/194287413934599/app_1_194287413934599_990348473.gif /photos−ak−snc1/v85005/166/164285363593426/app_2_164285363593426_820555261.gif /hprofile−ak−snc4/260932_1054900399_7435617_n.jpg /hprofile−ak−snc4/49013_1042651996_1516452143_t.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDkwNjBfNTMxMjQzODg5XzU1NzZfcS5qcGc= /StageOne/Generic/AppHangB1/iexplore_exe/9_0_8112_16421/4d76255d/5f0e/135168.htm /event /v41818/flyers/92/27/1327670884666156793_1_9f773eb0.jpg /static/fanpage/css/gossip.css /hprofile−ak−snc4/573689_1579380416_832259165_q.jpg /fbml_static_get.php /zbar/v2/prod/promo/5065d0f2cd0fc78bcbc7aa3c54223c65.gif /img/rockmelt−logo.png /rsrc.php/v1/yG/r/40jte7RHzIS.css /poker/join_buddy_bonus.php /ajax/log_ticker_render.php /v41818/flyers/43/56/13169419321666481769_1_6d9a0bf7.jpg /hprofile−ak−snc4/161701_100001755798199_6352246_q.jpg /ajax/typeahead/search.php /hprofile−ak−snc4/41547_100003683737472_1162337856_q.jpg /v41818/flyers/72/15/1305725456356678821_1_ed4f04a3.jpg /stats/47215_5544_638069_36984_7747_2.jpg /hprofile−ak−snc4/174204_1419369251_1063861876_q.jpg /people−are−talking−about/l−ossessione−del−giorno/2011/07/rihanna−donna−dell−anno /dialog/oauth /ajax/desktop/log_clicks.php217.72.242.214 /t.gif /ajax/gigaboxx/endpoint/UpdateLastSeenTime.php /v565063/flyers/95/21/1332608678956388932_1_91d5573e.jpg photos− /hprofile−ak−snc4/572817_1553262724_1387094090_q.jpg /px /hprofile−ak−snc4/187495_622857416_5287376_q.jpg /hphotos−ak−ash4/215066_236767333022469_100000676125796_776912_6410724_a.jpg /hprofile−ak−snc4/158066_214249671959717_907212476_q.jpg /hprofile−ak−snc4/27341_100000145360744_1167_q.jpg /zbar/v2/prod/promo/c9640c7f048ced93cee9f6af7ea9b232.jpg /v565063/flyers/52/46/1334223236254615942_1_3c3fb34b.jpg /ajax/hovercard/shown.php /img/downloaded_lg.png /hphotos−ak−ash3/552824_392914624074405_879211169_a.jpg /zlive/xpromo/xpromo.html /subsite/classic1.0.htm /hprofile−ak−snc4/173669_1518030990_3746743_q.jpg /zbar/static/zbar/poker/static−locale/it_IT.js /connect.php/css/share−button−css /dt/widgets.js /poker/launch.php /favicon.ico /hprofile−ak−snc4/161442_100002081922420_3261767_q.jpg /static/fanpage/img/social−popup−arrow.png /service/update2 /zbar/v2/prod/game/fb81eb07f135192f5d49100982241bb1.png /hprofile−ak−snc4/371771_100001654317020_1010609740_q.jpg /hprofile−ak−snc4/161170_100002129125070_869877764_q.jpg /hphotos−ak−ash3/552824_392914624074405_879211169_n.jpg /hphotos−ak−snc7/p480x480/72556_1437003130377_1391961887_31036847_4473004_n.jpg /js/download.js /hprofile−ak−ash2/273330_1596731001_523860472_t.jpg /hprofile−ak−snc4/574005_100000420518082_1632235534_q.jpg /scripts/following_parser.js /hprofile−ak−ash2/565226_1393255652_485808195_t.jpg /static/fanpage/img/fb−connect.png /ScriptResource.axd /rsrc.php/v1/y6/r/n7OLd78dc_8.js /ajax/presence/update.php /hprofile−ak−snc4/260692_100000726608589_1780107603_q.jpg /jspix /hphotos−ak−ash4/185575_237075009658368_100000676125796_778056_1909867_a.jpg /photos−ak−snc1/v85005/230/116014898445746/app_2_116014898445746_2541.gif /ajax/feed/feed_menu.php /zlive/zoom/latest−prod/js/swfobject.js /poker/getStaticSet.php /__utm.gif /safe_image.php /rsrc.php/v1/y5/r/E5QVKTtyFOd.png 2 /rsrc.php/v1/yu/r/Z8pDY0UNUO4.js /photos−ak−snc1/v85006/121/183211452517/app_2_183211452517_7537.gif /poker/dynamic_assets/100/gift87_1.png /hprofile−ak−snc4/565221_1492122993_467277717_t.jpg /poker/inc/ajax/luckyBonus.php /1/urls/count.json /ajax/typeahead/search/bootstrap.php /static/fanpage/js/jquery.colorbox−min.js /hphotos−ak−snc6/165333_100870713324242_100002039403380_3273_2122562_n.jpg /photos−ak−snc1/v27562/151/151829154838267/app_2_151829154838267_1757.gif /rsrc.php/v1/yh/r/2e71hHWKLkX.png /hprofile−ak−snc4/273358_895805400_1309865551_q.jpg /poker/dynamic_assets/as3/gift166_1.swf /poker/locale/en/img/lobbyBackgrounds/turkey0001.jpg /hphotos−ak−ash4/226080_237075302991672_100000676125796_778058_2105475_n.jpg /hphotos−ak−prn1/535515_392905437408657_100000676125796_1237233_741496854_a.jpg /poker/casino/ajax/ZSC/Accept/ /texas_holdem/ai.php /subscribe /photos−ak−snc1/v85005/222/365709729894/app_2_365709729894_5222.gif /static/fanpage/css/colorbox.css /hphotos−ak−snc6/284142_235833409782528_100000676125796_773360_6339820_a.jpg /js/8094158.js /photos−ak−snc1/v85005/80/228348247236308/app_1_228348247236308_1490.gif /WebResource.axd /hprofile−ak−snc4/186344_100001005362217_1185407405_q.jpg /static/fanpage/img/gossip/socialcats/5537d149731a7ae67a31403ab8ccb542_1273675090−50x50.jpg /hprofile−ak−snc4/49856_1179336558_3037_q.jpg /hphotos−ak−snc6/164105_100870876657559_100002039403380_3282_7125869_n.jpg /hprofile−ak−snc4/161259_100001879378218_6432409_q.jpg /static/fanpage/img/gossip/socialcats/3397f28a49896345dd8a97aef27664d4_1273854312−50x50.jpg /static/fanpage/css/style.css /photos−ak−snc1/v27562/175/102766453114171/app_1_102766453114171_8088.gif /hphotos−ak−snc7/396287_300691336648184_100001219593333_890976_1023031451_n.jpg /rsrc.php/v1/yH/r/1yFUVzvGflf.png /zbillr/javascripts/fbc_proxy_receiver.js /hphotos−ak−prn1/562507_392905357408665_100000676125796_1237232_2000035560_a.jpg /hprofile−ak−snc4/274759_100001475743630_4934220_q.jpg photos− /hprofile−ak−ash2/49135_1495763503_5748_q.jpg /rsrc.php/v1/yl/r/cN5zKudwrmb.css /hprofile−ak−snc4/48916_1336382160_1709951995_q.jpg /poker/CasinoSnapiProxy.php /hprofile−ak−snc4/41555_100002785114347_1652305387_q.jpg /hprofile−ak−snc4/174182_100001161171722_1921820198_q.jpg /hphotos−ak−ash3/555479_383177088381492_100000676125796_1208370_615701503_a.jpg /cgi−bin/m /poker/locale/it/img/shouts/highscore_weeklycontest2.swf /static/fanpage/js/fp−socialbox.js /photos−ak−snc1/v85005/244/65108332792/app_1_65108332792_9404.gif /hphotos−ak−ash4/407661_337379306294604_100000676125796_1087240_1926487984_n.jpg /hphotos−ak−snc6/229634_237075536324982_100000676125796_778060_7276928_a.jpg /photos−ak−snc1/v85006/109/107040076067341/app_1_107040076067341_1528.gif /hphotos−ak−prn1/s320x320/26692_1314915718268_1391961887_30755825_2342829_n.jpg 3 /poker/iframe_proxy.php− /hphotos−ak−ash3/166797_100870659990914_100002039403380_3270_2778416_n.jpg /hprofile−ak−snc4/173212_1546634717_946839939_q.jpg photos− /photos−ak−snc1/v43/152/154089927959840/app_2_154089927959840_1239.gif /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLWFzaDIvMzY5OTE5XzEwNTk2MDA2NTBfMjU0ODIyOTkyX3EuanBn /adscores/g.pixel /poker/inc/ajax/chip_vals.php /hphotos−ak−snc7/s320x320/76027_1450285062417_1391961887_31058442_1557303_n.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDE1NTVfMTAwMDAyNzg1MTE0MzQ3XzE2NTIzMDUzODdfbi5qcGc= /photos−ak−snc1/v85006/39/101539264719/app_1_101539264719_2507.gif secure− /ajax/photos/photo/tags/tags_init.php /hprofile−ak−snc4/275823_1335733940_834053024_t.jpg photos− /hprofile−ak−snc4/161485_100000964885703_485534086_q.jpg /photos−ak−snc1/v85006/247/30713015083/app_1_30713015083_2979.gif /photos−ak−snc1/v85006/237/256051837747677/app_1_256051837747677_2325.gif /poker/img/shouts/003_threesco_100.png /hphotos−ak−snc7/312780_278137352218800_100000676125796_915311_1551900761_s.jpg /crossdomain.xml /rsrc.php/v1/ys/r/0VDksn8o5BR.png /js/jquery/jqueryui.js /hphotos−ak−snc6/284142_235833409782528_100000676125796_773360_6339820_n.jpg photos− /poker/inc/ajax/trackFriendFeed.php /hprofile−ak−snc4/41661_678484760_313677665_q.jpg /hphotos−ak−snc7/407905_2640210558576_1054900399_32483284_1415883070_s.jpg /rsrc.php/v1/yP/r/JJTbNB3NOtv.png /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvMzcxMTkxXzEwMDAwMDQ4NzY0NDczMF8xOTA1NDk4ODAzX3EuanBn /poker/adapter/zgift_info.php /rsrc.php/v1/ya/r/GkSTZ3wYZBQ.png /poker/inc/ajax/amazing_ideas.php /hprofile−ak−snc4/48897_100001281214666_1095838380_q.jpg /poker/inc/ajax/profile_popup.php /ad/N3024.5011.FOXINTERACTIVE/B6449871;sz=1x1;ord=52074038 /poker/casino/ajax.php /hphotos−ak−ash4/249929_218011594898043_100000676125796_704480_7768516_a.jpg /hprofile−ak−snc4/186535_1052265436_6807914_q.jpg /poker/casino/ajax/ZSC/GetMessageData/ /poker/adapter/user_data.php photos− /connect.php/js/FB.Share photos− /photos−ak−snc1/v85005/222/365709729894/app_1_365709729894_9467.gif /hphotos−ak−prn1/543248_392848557414345_100000676125796_1237183_584277678_a.jpg /photos−ak−snc1/v27562/52/2389801228/app_1_2389801228_4018.gif /wp−admin/admin−ajax.php /static/fanpage/img/gossip/favicon.ico /hphotos−ak−prn1/562722_393219950710539_100000676125796_1237622_2143092417_a.jpg /viewad/954669/1−inv.gif /poker/server_status.php /static/fanpage/img/gossip/socialcats/e2b11d959bce053c90de466604ed28a1_1318858190−50x50.jpg /hprofile−ak−ash2/187086_100000363921369_6546321_q.jpg−ak−snc6/254706_236767246355811_100000676125796_776911_5097146_a.jpg /poker//inc/ajax/ztrack_social.php /hphotos−ak−ash4/380601_383177018381499_100000676125796_1208366_452298874_a.jpg photos− /hphotos−ak−ash4/268672_235833289782540_100000676125796_773359_3697943_a.jpg /photos−ak−snc1/v27562/157/183366208380001/app_1_183366208380001_2727.gif /poker/callback/loadMilestone.php /hphotos−ak−snc7/162835_100870826657564_100002039403380_3279_7550227_n.jpg /ajax/pagelet/generic.php/PhotoViewerPagelet /hphotos−ak−snc6/163139_100870863324227_100002039403380_3281_2081965_n.jpg /link/link.php /ajax/pagelet/generic.php/PhotoViewerInitPagelet /photos−ak−snc1/v27562/175/102766453114171/app_2_102766453114171_8233.gif /js/jquery/jquery.urlEncode.js /texas_holdem/dmz_link_landing.php /hphotos−ak−snc7/p480x480/149161_1450288062492_1391961887_31058449_5122823_n.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/26−5234414_201x113.jpg /hphotos−ak−ash4/s320x320/407236_2790145346852_1054900399_32556565_1399259089_n.jpg /javascripts/z_purchase.js /hphotos−ak−snc6/s320x320/165260_1504281852303_1391961887_31171518_4446658_n.jpg /texas_holdem/index.php /b/o /connect.php/it_IT /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/21−43754_201x113.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/rihanna−3310943_201x113.jpg /poker/inc/ajax/chips.php /hphotos−ak−snc6/168926_100870946657552_100002039403380_3286_7170577_n.jpg /hphotos−ak−ash4/s320x320/405734_2640209958561_1054900399_32483283_868894953_n.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/22−101501_201x113.jpg /poker/inc/ajax/liveChrome.php /static/fanpage/js/functions.js /hphotos−ak−ash3/555479_383177088381492_100000676125796_1208370_615701503_n.jpg /hphotos−ak−ash4/249929_218011594898043_100000676125796_704480_7768516_n.jpg /hphotos−ak−snc6/185298_235845599781309_100000676125796_773383_1963093_a.jpg /hphotos−ak−prn1/535462_383177051714829_100000676125796_1208368_406060946_a.jpg /hphotos−ak−snc7/163213_100870566657590_100002039403380_3264_2479830_n.jpg /hphotos−ak−prn1/560213_383177031714831_100000676125796_1208367_1998403977_n.jpg /css/styles_dark.css /poker/client/modules/LuckyBonus008t.swf /hphotos−ak−ash3/561834_383177068381494_100000676125796_1208369_584924645_a.jpg /hphotos−ak−prn1/s320x320/30468_1314916718293_1391961887_30755836_6756993_n.jpg /login_user.php /ajax/pagelet/generic.php/WebEgoPane /poker/inc/ajax/openGraphEndpoints.php /css/colorbox.css /js/jquery/jquery.easing.compatibility.js /hphotos−ak−snc7/p480x480/418513_254203174669158_100002384311499_569106_930991690_n.jpg /hphotos−ak−snc6/251107_218015671564302_100000676125796_704564_4039342_n.jpg /images/shim.gif /photos−ak−snc1/v85005/166/164285363593426/app_1_164285363593426_1385.gif /update_user.php /mark/26069_18 /js/script_common.js /js/jquery/jquery−1.4.1.min.js /poker/inc/ajax/popup_deferred_load.php /poker/adapter/zuser_feed.php /hphotos−ak−ash4/407661_337379306294604_100000676125796_1087240_1926487984_a.jpg /hphotos−ak−snc6/185218_236766699689199_100000676125796_776909_6410623_a.jpg /jennifer−lopez−senza−veli−per−spot−il−toyboy−l−ha−svecchiata/ /hphotos−ak−snc6/167640_100870923324221_100002039403380_3285_5112154_n.jpg /hphotos−ak−snc7/33820_100870809990899_100002039403380_3278_1850791_n.jpg /poker/image_proxy.php/aHR0cHM6Ly9mYmNkbi1wcm9maWxlLWEuYWthbWFpaGQubmV0L2hwcm9maWxlLWFrLWFzaDIvMTc0MTY5XzEwMDAwMzU3NjI2NTM3NV8xODIwMTIzODU1X3EuanBn /hphotos−ak−snc6/168095_100870739990906_100002039403380_3274_692480_n.jpg /js/23777651.js /hprofile−ak−snc4/572691_100000262934515_165452218_q.jpg /js/condenet/jquery.cookies.js /hphotos−ak−snc6/200221_1622881977232_1391961887_31364215_2612460_n.jpg /activityi;src=954669;type=nuven191;cat=landi232;ord=4044130197191.0083 /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/20−2668906_201x113.jpg /css/colorbox−login.css /_tracker/569/hphotos−ak−ash3/s320x320/167094_1511012020553_6376530_n.jpg /volvo.php /mybach.php /_uploads/brief/u39103/video/5544/vulf−s_1334662854.png /css/styles_article.css /en_US/all.js /b/p /it_IT/all.js /hphotos−ak−ash3/555577_3351311235158_1640208996_2619594_1199453245_n.jpg /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/23−93977_201x113.jpg /css/−gallery.css /images/fb_popup/fb_popup_empty_like_button.jpg /css/styles_common.css 9339 /gossipfanpage/wp−content/uploads/2012/01/i−messaggi−di−casper−smart−su−twitter.jpg 8890 /ads/js/tfa_ebuzz_creaebz.js /iframe/12 / /ads/firewall/firewall2.php 843 1−jv− 2−jv− 3−jv−

(a) Initial graph from a single snapshot. 28326 40017 26567 40047 33033 40028 40016 10425 12345 40025 40034 40004 40021 40030 40001 /world.php



Non−Existent Domain


443 /volvo.php

995 s−





Server Failure


Host_2 Non−Existent Domain

(b) Host-CG of a single client. Server Failure

(c) Final Seed-CG.

Fig. 6. Evolution of Network Connectivity Graphs at several steps of our methodology. The event under study is reported as malicious by our oracle. Three clients are flagged for this event: Two generate two analysis snapshots each, while the third client generates eight snapshots.

type of attack - a Drive-by Download threat - infects about 800 hosts (3.8% of hosts). The huge tail confirms the intuition that most of URLs are accessed by few hosts only. We conservatively compile a whitelist made of the Top-100 HTTP events, which equivalently filters those events that are common to more than 23% of hosts. This avoids blurring the common pattern mining and reduces the itemset extraction time, despite not affecting the descriptiveness of CGs. V. C ONNECTIVITY G RAPH C HARACTERIZATION We next evaluate the benefits and properties of CG creation. We first identify the amount of events eligible of becoming seeds. Recall that our methodology requires a recurrence of seeds over time and over population. The requirement matches basic properties of malicious activities, such as recurrent reporting to the C&C center or recurrent attempts to identify new victims. For this reason, we expect that malware distributors would try to disguise such repetitiveness as much as possible. In our dataset we found 820 malicious hosts that had only one flagged event. If analyzed in isolation (on per host basis), these events would not have any recurrence. Fig. 5(b) reports the number of snapshots that can be associated to each unique malicious event. By considering 1,783 unique malicious events, we found that 236 events can be uniquely associated to at least three independent snapshots. Setting MinSnapshots=3, these events become fully characterizable by our system. In fact, looking at the absolute numbers, we can provide insights for 95% of the malicious snapshots in our dataset (40k out of 42k events). A. Connectivity Graph construction steps In Fig. 6, we present an example of the Network Connectivity Graph evolution according to the steps of the methodology described in Sec. III. We consider the malicious seed http:// mybach.php. • Fig. 6(a) shows the network traffic produced by a host during a single 30 minute snapshot centered on the seed. Obviously, this graph is very difficult to interpret. • Fig. 6(b) presents the Host-CG of one of the three clients (red marker in the center) involved in the malicious activity. Despite being already clearer and understandable with little effort, it still contains some nodes related to ordinary user’s behavior

that are not part of the malicious activity. For instance, HTTPS and POP3 Secure transactions on the TCP layer (light green circles in bottom-right part) are related to mail exchange and login to Google services, while flows over UDP (olive green circles in upper part) are mostly directed to the Skype service. • Fig. 6(c) corresponds to the final Seed-CG generated by our system when fusing the Host-CG of three different hosts. It is now much easier to identify the events involved in the suspicious activities. Events highlighted by red edges are those considered malicious by our oracle. The richness of the provided indications stems from the augmented context that we provide about these clients. First, the clients access three URLs (blue hexagons) hosted by three hostnames (orange circles) all of which now become an indication of a suspicious infrastructure. Next, two of the contacted hostnames ( and use the same IP address (gray diamonds) suggesting for a potential obfuscation by hostname flipping and resources reusage, both common practices among malicious adversaries. The third hostname ( is distributed over several mirrors whose IP addresses belong to very different subnets, a hint of cheap infrastructure or zombies that were previously infected by the malware. Finally, the right side of Fig. 6(c) shows another layer of information indicating multiple failures of DNS queries (purple boxes). This reaffirms our suspiciousness. Apart from providing more context for the malicious activity, our system discovers new malicious objects and improves the flagging consistency of our oracle IDS. For example, the object volvo.php is consistently included in malicious graphs, while the IDS occasionally missed it. Our system also discovered a new object world. php, and we confirmed its maliciousness across several other security tools such as VirusTotal.2 B. Impact of Pattern Filtering We study the volume of information that Seed-CG creation process extracts from single seeds. Table II shows the average number of nodes included in the final Seed-CGs. Three sets of parameters are reported, from a very selective common pattern 2 VirusTotal:



Type Object-path Hostname Server IP Dst-port TCP Dst-port UDP DNS error Total




6.6 7.0 19.9 0.2 2.0 0.3

14.9 16.8 95.9 0.5 27.8 2.4

2351.4 691.5 3423.0 79.9 1335.1 40.4




c1 = {MinSupport=1, minPopularity=1} c2 = {MinSupport=0.5, minPopularity=1} c3 = {MinSupport=0, minPopularity=0}



In the following, we provide some examples of CGs covering several typologies of malware found in our dataset, each presenting different behaviors and network patterns. A. Cycbot Backdoor Activity Host_1






Host_6 /


Number of Nodes

250 200 150

Object Path Hostname Server IP TCPDSTPort

UDPDSTPort DNS failures Total p− 9en− − zfts− d2− qe6− y1g− g− hddqs0−− k−



Fig. 8. CG for Cycbot Backdoor Activity backdoor trojan. Notice the fast-flux domain name shuffling (orange circles in lower-left part), and the IP address detection webpages (top-right) to assess victims’ reachability.

0 1s 5s 10s 30s 1

5 10 15 20 25 30 35 40 45 50 55 60 Snapshot Size ∆ [min]

Fig. 7. Average amount of nodes in Seed-CGs with different snapshot sizes.

filtering such as c1 = {MinSupport=1, minPopularity=1}, which selects only the objects that appear in all snapshots and for all hosts, to c3 = {MinSupport=0, minPopularity=0}, which instead merges and fuses all patterns independently of their support and popularity. c2 = {MinSupport=0.5, minPopularity=1} is the suggested default parameter setting. Results clearly show that starting from a single event, the proposed methodology builds graphs with hundreds of nodes. Note how the number of elements grows consistently when selecting less restrictive thresholds for MinSupport and minPopularity. The number of elements is indeed very large for c3, where thousands of nodes are included in the CGs. This hurts the amount of information offered to the security analyst (see Fig. 6(a) for instance). c2 offers a good trade-off between descriptiveness and richness of the final CG. Fig. 7 shows the average number of nodes in Seed-CGs according to the selected snapshot size, ∆, for the parameter set c2. As expected, CGs contain only the seed event and few other nodes when selecting small ∆, e.g., lower than 1 min. On the other hand, the number of nodes increases with the snapshot size, peaking at more than 200 nodes on average with a 60 min snapshot. Interestingly, the number of object-paths and hostnames does not increase dramatically with higher ∆, proving the effectiveness of the Common Patterns Mining technique. The only node type showing higher inflation is the Server IP address, owing to malicious activities poking benign infrastructures hosted on Content Delivery Networks (CDNs).

Cycbot is a backdoor trojan that allows cyber-criminals to access infected computers remotely. This causes victims’ hosts to be exploited by malicious adversaries for large-scale attacks, and to potential leakages of personal sensitive information. Fig. 8 shows the CG of the event */ logo.png for which our oracle raises an alarm. Interestingly, more than 80 hostnames seem to serve the malicious file logo.png (cloud of orange circles in Fig. 8). All those hostnames have a third-level domain name exhibiting random strings that are made of both characters and numbers, and are hard to code with regular expressions. This technique, known as fast-flux, allows attackers to hide malicious infrastructures by generating hostnames that are registered to the DNS and lately removed with a high frequency. This makes the detection harder, circumvents blacklisting, and guarantees a longer reachability to the infrastructure. Considering only second-level domains, the number of hostnames drops to 10, each presenting an appealing name acting as a lure for potential victims, e.g., faststorageonline. com,,, etc. The entire set of domain names is hosted on few servers, heading to 5 IP addresses. Those IPs are not organized in a structured CDN and do not belong to the same subnet, suggesting for the usage of infected machines scattered in the network. The right part of Fig. 8 includes some benign objects. While those may seem false positives, this is not the case. Looking closer at the top of Fig. 8, it is easy to realize that contacted websites host services aimed at the discovery of the public IP address of the host. Such behavior is coherent considering the intent of the malware we are facing. Being a backdoor trojan, the infected client has to be reachable by the cybercriminals, but connectivity issues, e.g., hosts behind NATs or firewalls, might preclude the reachability of the victim.

Looking at the bottom-right part of the CG, we observe that the malware is checking Internet connectivity by visiting the homepage, another test run by the malware to gather connectivity properties of the victim.

/hey/wp−content/themes/instal/file.php /test_blog/wp−content/themes/instal/file.php


/wp−content/themes/headlines/instal/file.php enabler−

B. Downloader.Dromedian Communication



Non−Existent Domain

/wp−content/themes/desk−mess−mirrored/instal/file.php /wp−content/instal/file.php



Non−Existent Domain /webhp /ADSAdClient31.dll




Fig. 9. CG for Downloader.Dromedian Communication trojan horse. Notice the presence of legitimate nodes being contacted by malware.

Downloader.Dromedan is a trojan horse that runs silently on the victim’s host, downloading and putting in execution additional threats. This malware connects to remote malicious infrastructures and C&C networks in order to fetch and execute additional malware and potentially unwanted programs (PUP). In most cases, it causes the redirection of ordinary web surfing traffic to malicious websites through the installation of toolbars in web browsers. Such toolbars force the user to visit certain contents in order to generate profit for malicious attackers. Fig. 9 shows the CG of the malicious event run/ fox.php, which triggers the alarm related to the Downloader.Dromedian in our reference IDS. Two clients are infected and, in addition to the seed (red arrows), they both connect to webhp repeatedly. While the Google webpage is not malicious per se, it is caused to frequently appear due to PUPs related to Conduit search hijacker. Several unwanted toolbars like Delta Search Toolbar, Social Search Toolbar, and Internet Helper Toolbar are related to Conduit search, and cause Google Webhp redirects by hijacking the browser settings. Looking at the top-right part of the CG, infected clients query three hostnames causing an error at the DNS resolver side, owing to the fact that the two exploited hosts try to connect to the remote malicious infrastructure. Our suspiciousness on such event is reinforced by the similarity of the queried hostnames with the successful one (i.e.,, and by the presence of numbers interleaving characters with a random fashion, possibly trying to avoid blacklisting. C. Mass Injection Website The Mass Injection Website attack does not target the host of the victim directly, but leverages vulnerabilities of legitimate

Server Failure

Fig. 10. CG for Mass Injection Website attack. Notice all URLs containing “wp-content”, suggesting for a WordPress vulnerability being exploited my malicious adversaries. Victims are forced in a redirection chain through websites hosting Exploit Kits.

websites to inject malicious scripts and hidden iframes. In turn, users visiting compromised websites are victims of a redirection chain that forces them to visit third-party websites hosting Exploit Kits. Such Exploit Kits target potential vulnerabilities at the client side so that once the victim lands on the effective Exploit Kit, her machine gets infected as well. Fig. 10 shows the network behavior of two hosts being victims of the Mass Injection exploitation. Our oracle considers malicious only the seed wp-content/ instal/ file.php but our CG is populated with other URLs all terminating with /instal/ file.php. Interestingly, many of those URLs also include the substring wp-content, suggesting for an exploited vulnerability in the WordPress blogging tool. Our suspiciousness is confirmed by the fact that both victim hosts exhibit the same identical behavior towards all the URLs depicted in the CG. The volume of issued requests is identical, and, considering the contacted URLs in a temporal sequence, it is possible to clearly spot repeated patterns over time, i.e., both hosts visit other URLs in a deterministic way. Moreover, such web pages host different kinds of content, ranging from newscast to music festivals and healthcare. Thus, it is almost impossible that two users visit the same pages, the same number of times, in the same order. This confirms the ongoing automated webscan the user is not aware of. VII.


The increased ability of malware to spread and infect computers has led to vast amounts of research attempting to identify malware using the network traffic they generate. The work here presented is related to malware detection through graph-based approaches, and multi-protocol traffic correlation. Graph-based Malware Detection: In [9], the authors build a bipartite graph consisting of domain names of failed DNS queries and host issuing such queries. The intuition is that host infected by the same malware usually query for the same (or similar) set of domain names. Similarly, [10] proposes to build a relationship graph based on DNS historical data.

In this context, suspicious networks are identified by means of two graph measures: graph density and eigenvector centrality. In [11], malicious hosts are detected using a semisupervised, score-propagation algorithm that utilizes HTTPcommunication graph and flow information. All these approaches restrict their efforts to a specific protocol to identify the suspicious graph entities. Alternatively, our system uses the data gathered from multiple protocols to create the CG on which the malware patterns are identified. Multi-protocol Traffic Correlation: Many efforts have focused on the analysis of a single protocol to identify patterns displayed by malware. The popularity of HTTP has made it the preferred protocol for malware creators and, as such, the target for researchers to analyze and detect malware. [12] presents a system to identify malicious drive-by download activities by exposing the distribution networks necessary to distribute malware. Similarly, [13], [14] propose classifiers based on features from web domains and URLs. Systems that analyze the DNS protocol, usually look at failed DNS queries [15], [10], as this activity can lead to the existence of malware using domain generated algorithms (DGA). The problem with systems relying on a single protocol is their limited scope, as malware can switch among protocols, and the required semantic understanding of the particular protocol considered. In comparison, a seminal work evaluating multiple protocols is [16], where the lifecycle of botnets is modeled according to a set of phases. An interesting approach is used in [17], [18], where network traffic is presented through generic packet information such as length sequences and encoding differences, allowing to represent the malware activity observed in different protocols. All of these multi-protocol approaches have the limitation of targeting specific type of malware. Our approach is instead general and encompasses different malicious activities. We propose a graph based approach that extracts the behavioral commonalities from multiple clients with a seed event in common. VIII. C ONCLUSIONS We presented a system able to identify and correlate network events with malicious traffic. Starting from a seed, i.e., an alarm raised by a reference IDS, our system leverages both spatial and temporal recurrence of events and frames them in a Network Connectivity Graph, that is a focused representation of the malicious activities over multiple network layers. In contrast to other security tools, often providing atomic information on malicious attacks, our system delivers an enriched set of network activities related to malicious software running on victims’ hosts. Specifically, it is capable of spotting interactions between malicious and legitimate infrastructures, increasing the knowledge on the incident. We proved our approach is effective against different classes of malware, each showing peculiar behaviors and network patterns. In all cases, it provided a rich and interpretable characterization of the malicious activity, facilitating the understanding of malicious attacks and supporting the forensic activity of the security analyst.




[4] [5]



[8] [9]










iMPERVA, “Assessing the effectiveness of antivirus solutions,” Assessing the Effectiveness of Antivirus Solutions.pdf, 2012. R. Perdisci, I. Corona, D. Dagon, and W. Lee, “Detecting malicious flux service networks through passive analysis of recursive DNS traces,” in Computer Security Applications Conference, 2009. ACSAC ’09. Annual, 2009, pp. 311–320. M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of driveby-download attacks and malicious javascript code,” in Proc. of WWW, 2010. P.-N. Tan, M. Steinbach, and V. Kumar, Introduction to Data Mining, 2nd ed. Addison-Wesley, 2013. D. Gunopulos, R. Khardon, H. Mannila, S. Saluja, H. Toivonen, and R. S. Sharma, “Discovering all most specific sentences,” ACM Transactions on Database Systems (TODS), vol. 28, no. 2, pp. 140– 174, 2003. F. Pan, G. Cong, A. K. Tung, J. Yang, and M. J. Zaki, “Carpenter: Finding closed patterns in long biological datasets,” in Proc. of the 9th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2003, pp. 637–642. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, “Hypertext transfer protocol - http/1.1,” Tech. Rep., 2006. P. Mockapetris, “Domain names - concepts and facilities,” Tech. Rep., 2003. N. Jiang, J. Cao, Y. Jin, L. Li, and Z.-L. Zhang, “Identifying Suspicious Activities Through DNS Failure Graph Analysis,” in Network Protocols (ICNP), 2010 18th IEEE International Conference on. IEEE, 2010, pp. 144–153. Y. Nadji, M. Antonakakis, R. Perdisci, and W. Lee, “Connected colors: Unveiling the structure of criminal networks,” in Research in Attacks, Intrusions, and Defenses. Springer, 2013, pp. 390–410. L. Liu, S. Saha, R. Torres, J. Xu, P.-N. Tan, A. Nucci, and M. Mellia, “Detecting Malicious Clients in ISP Networks Using HTTP Connectivity Graph and Flow Information,” in Advances in Social Networks Analysis and Mining (ASONAM), 2014 IEEE/ACM International Conference on. IEEE, 2014, pp. 150–157. L. Invernizzi, S. Miskovic, R. Torres, S. Saha, S.-J. Lee, C. Kruegel, and G. Vigna, “Nazca: Detecting Malware Distribution in Large-Scale Networks,” in Proc. of the ISOC Network and Distributed System Security Symposium (NDSS ’14), Feb 2014. P. K. Manadhata, S. Yadav, P. Rao, and W. Horne, “Detecting malicious domains via graph inference,” in ESORICS 2014. Springer, 2014, pp. 1–18. A. Le, A. Markopoulou, and M. Faloutsos, “PhishDef: URL names say it all,” in Proc. of the 30th IEEE International Conference on Computer Communications, 2011, pp. 191–195. M. Antonakakis, R. Perdisci, Y. Nadji, N. V. II, S. Abu-Nimeh, W. Lee, and D. Dagon, “From throw-away traffic to bots: Detecting the rise of DGA-based malware,” in Proc. of USENIX Security Symposium, 2012, pp. 491–506. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter: detecting malware infection through IDS-driven dialog correlation,” in Proc. of the 16th USENIX Security Symposium, 2007, pp. 12:1–12:16. C. J. Dietrich, C. Rossow, and N. Pohlmann, “Cocospot: Clustering and recognizing botnet command and control channels using traffic analysis,” Computer Networks, vol. 57, no. 2, pp. 475–486, 2013. J. Franc¸ois, S. Wang, R. State, and T. Engel, “Bottrack: tracking botnets using netflow and pagerank,” in NETWORKING 2011. Springer, 2011, pp. 1–14.

Network Connectivity Graph for Malicious Traffic ...

poll the mail server, and upload files on a cloud storage service, ... 1. Example of events generated by a host as seen from the network. Graph (CG), which ...

612KB Sizes 2 Downloads 95 Views

Recommend Documents

Network Connectivity Graph for Malicious Traffic Dissection - PORTO ...
For instance, the same host could visit a legitimate web page, poll the mail server, and .... Algorithm 1 Create Network Connectivity Graph. input args s: seed.

Data-driven network connectivity - Research at Google
not made or distributed for profit or commercial advantage and that copies bear this notice and ..... A distributed routing algorithm for mobile wireless networks.

Sensory-motor brain network connectivity for speech ...
Sep 24, 2009 - computer. Subjects were ... thickness, 6 mm; and no gap; 365 functional volumes con- ..... Our study supports this view by describing the net-.

Survey on Internet Connectivity for Mobile Ad Hoc Network
(Wi-Fi) network adapters enable the spontaneous creation of city-wide MANETs. These networks could then constitute the infrastructure of numerous applications such as emergency and health-care systems, groupware, gaming, advertisements, etc. As users

A Network Traffic Reduction Method for Cooperative ...
Wireless positioning has been providing location-based ser- vices in ... Let us consider a wireless network with two types of ..... Cambridge University Press,.

Host Measurement of Network Traffic
Host Measurement of Network Traffic. DongJin Lee and Nevil Brownlee. Department of Computer Science. The University of Auckland.

Free data available for 2 years from the time you first activate your 3G service. 2. A day pass offers unlimited data access for 24 hours from the time of data purchase. 3. Any purchase of additional data expires after 30 days from the date of data p

Broadband service for 2 years, provided by Verizon Wireless. Also available are an unlimited day pass for just $9.99 and pay-as-you-go rates that are.

Filtering Network Traffic Based on Protocol ... - Fulvio Risso
Let's put the two together and create a new automaton that models our filter tcp in ip* in ipv6 in ethernet startproto ethernet ip ipv6 tcp http udp dns. Q0. Q3. Q1.

Traffic Based Clustering in Wireless Sensor Network
Traffic Based Clustering in Wireless Sensor. Network ... Indian Institute of Information Technology ... Abstract- To increase the lifetime and scalability of a wireless.