TWC: Medium: Collaborative: HIMALAYAS: Hierarchical Machine Learning Stack for Fine-Grained Analysis of Malware Domain Groups

TWC：媒介：协作：HIMALAYAS：用于恶意软件域组细粒度分析的分层机器学习堆栈

• 批准号: 1314956
• 负责人: Vinod Yegneswaran
• 金额: $ 59.61万
• 依托单位: SRI International
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-10-01 至 2018-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1314956&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; HIMALAYAS; Hierarchical

The domain name system (DNS) protocol plays a significant role in operation of the Internet by enabling the bi-directional association of domain names with IP addresses. It is also increasingly abused by malware, particularly botnets, by use of: (1) automated domain generation algorithms for rendezvous with a command-and-control (C&C) server, (2) DNS fast flux as a way to hide the location of malicious servers, and (3) DNS as a carrier channel for C&C communications. This project explores the development of a scalable, hierarchical machine-learning stack, called HIMALAYAS, which specializes in algorithms for automatically mining DNS data for malware activity. In particular, we are interested in isolating both ordered and unordered sets of malware domain groups whose access patterns are temporally and logically correlated. HIMALAYAS performs a task of increasing complexity at each level - starting from scalable clustering and feature selection at lower levels, to more advanced malware domain subsequence identification algorithms at higher levels. It has multiple benefits, including speed, accuracy, interpretability, and ability to use domain knowledge, which makes it very well suited for malware analysis and related tasks. The analysis by HIMALAYAS should accelerate the identification and takedown of malware domains on the Internet and improve services such as Google SafeSearch. The machine-learning stack developed as part of the HIMALAYAS project has broader application to many important data mining problems, e.g., in financial data analysis, and mining user patterns from web access logs. The project provides opportunities for students to participate in the development and transition of the technology.

域名系统(DNS)协议通过实现域名与IP地址的双向关联，在互联网的运行中扮演着重要的角色。恶意软件，特别是僵尸网络，也越来越多地滥用它：(1)用于与指挥与控制(C&amp；C)服务器会合的自动域生成算法，(2)作为隐藏恶意服务器位置的方式的域名快速流动，以及(3)作为C&amp；C通信的载体通道的域名。这个项目探索了一个可扩展的、层次化的机器学习堆栈的开发，称为喜马拉雅，它专门研究自动挖掘恶意软件活动的DNS数据的算法。特别是，我们感兴趣的是隔离访问模式在时间和逻辑上相关的恶意软件域组的有序和无序集合。喜马拉雅在每个级别上执行的任务都越来越复杂--从较低级别的可伸缩集群和特征选择开始，到较高级别的更高级恶意软件域子序列识别算法。它具有多个优点，包括速度、准确性、可解释性和使用领域知识的能力，这使得它非常适合恶意软件分析和相关任务。喜马拉雅的分析应该会加速识别和拆除互联网上的恶意软件域名，并改进谷歌安全搜索等服务。作为喜马拉雅项目的一部分开发的机器学习堆栈在许多重要的数据挖掘问题上有更广泛的应用，例如在金融数据分析和从网络访问日志中挖掘用户模式。该项目为学生提供了参与技术开发和过渡的机会。