Computer Networks 100 (2016) 28–44 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet Mining agile DNS traffic using graph analysis for cybercrime detection Andreas Berger a,∗ , Alessandro D’Alconzo e , Wilfried N. Gansterer b , Antonio Pescapé c,d a Telecommunications Research Center Vienna, Vienna, Austria b University of Vienna, Faculty of Computer Science, Vienna, Austria c Electrical Engineering and Information Technology Department of University of Napoli Federico II, Napoli, Italy d NM2 srl, Napoli, Italy e Austrian Institute of Technology, Vienna, Austria a r t i c l e i n f o Article history: Received 30 April 2015 Revised 22 December 2015 Accepted 1 February 2016 Available online 15 February 2016 Keywords: Cybercrime detection Traffic analysis DNS Graph analysis Network monitoring a b s t r a c t We consider the analysis of network traffic data for identifying highly agile DNS patterns which are widely considered indicative for cybercrime. In contrast to related approaches, our methodology is capable of explicitly distinguishing between the individual, inherent agility of benign Internet services and criminal sites. Although some benign services use a large number of addresses, they are confined to a subset of IP addresses, due to operational requirements and contractual agreements with certain Content Distribution Networks. We discuss DNSMap, a system which analyzes observed DNS traffic, and continuously learns which FQDNs are hosted on which IP addresses. Any significant changes over time are mapped to bipartite graphs, which are then further pruned for cybercrime activity. Graph analysis enables the detection of transitive relations between FQDNs and IPs, and reveals clusters of malicious FQDNs and IP addresses hosting them. We developed a prototype sys- tem which is designed for realtime analysis, requires no costly classifier retraining, and no excessive whitelisting. We evaluate our system using large data sets from an ISP with sev- eral 100,000 customers, and demonstrate that even moderately agile criminal sites can be detected reliably and almost immediately. © 2016 Elsevier B.V. All rights reserved. 1. Introduction A recent report by Norton estimates the global annual cost of cybercrime as 113 Billion US$, with 378 Million victims per year [1]. Although a multitude of advanced detection (e.g., malware scanners) and mitigation (e.g., firewalls) techniques are available and the expenses for defense mechanisms are significant, the problem is clearly not under control. This is fundamentally related to the vulnerability of Internet end-users, who fall victim to automated attacks at vast numbers. ∗ Corresponding author. Tel.: +43 1505283030. E-mail address: andreas.berger@alumni.tugraz.at (A. Berger). For example, users are lured into visiting malicious ex- ploit sites, which in turn install malware on their machines (drive-by-downloads). This enables criminals not only to steal sensitive data directly from infected machines, and to extort money from the victims, e.g., by threatening them with blocking access to their data [2]. Even worse, re- motely controlled, malware-infected machines (i.e., bots) serve as all-purpose platforms (i.e., botnets), and are, e.g., used for Distributed Denial of Service (DDoS) attacks and Spamming campaigns. In this paper we aim at detecting malicious websites by monitoring DNS traffic in access networks. We exploit the fact that these sites are required to be stealthy and reliably available at the same time. For example, exploit sites need to be well-reachable by the targeted users, to http://dx.doi.org/10.1016/j.comnet.2016.02.009 1389-1286/© 2016 Elsevier B.V. All rights reserved.