SiegeCannon: Detecting Malicious Infrastructures by Analyzing Integral Characteristics of Involved Server Flocks

Nowadays, cybercriminals tend to leverage dynamic infrastructures consisting of multiple controlled servers to carry out malicious campaigns due to the resistance against security enforcement. Though a number of researchers have dedicated to combating with vicious domains or servers, they typically focus on a single point rather than the entire infrastructure, such that can be circumvented by simply throwing away the detected node and recruiting a new one.In this paper, we propose a novel system, SiegeCannon, that extracts and classifies malicious infrastructures by analyzing the anomalies of both internal relationships and external traffic patterns. This is motivated by that malicious infrastructures are formed by a set of orchestrated servers and domains which requested only by the compromised client in most cases. SiegeCannon employs a dependence graph to model the interactions among servers in a monitored network. Then, a pruning algorithm is implemented to extract flocks of intimate servers as candidate infrastructures for further investigation. At last, SiegeCannon trains a classification model based on three types of features from the aspects of graph structure, node traffic and flock behavior, respectively. We build a prototype system of SiegeCannon and evaluate it with traffic from a large ISP network. The result shows the efficacy and effectiveness.