CC-Tracker: Interaction Profiling Bipartite Graph Mining for Malicious Network Activity Detection

Malicious domain names are useful for cybercrime, but can be easily blocked by blacklists. To avoid a single point of failure, cybercriminals use domain generation algorithm to generate a large number of malicious domains. Once the victim's machine is infected with malware, the malware tends to connect to malicious domain names to commit cybercrimes, such as waiting for remote control commands or sending malware feedback. Therefore, how to detect these malicious connections has been a hot research topic in information security. In this paper, a new method of tracking malicious domain and victim machine by scalability system named CC-Tracker (Cyber Criminal Tracker) based on HTTP is presented. CC-Tracker extracts 12 features from HTTP traffic using MapReduce framework based Interaction Profiling Bipartite Graph mining. Experimental results show that CC-Tracker can reach 99% AUC in the evaluation benchmark. In addition in the deployment environment found new malicious domain of network traffic, and dig out the hidden in the enterprise, the victims of the machine these malicious domain are a threat to other online reputation system can't identify. The scalability and applicability of CC-Tracker are demonstrated by experiments on the real-world environment.