Unraveling Threat Intelligence Through the Lens of Malicious URL Campaigns
Authors: 
Mahathir Almashor, Ejaz Ahmed, Benjamin Pick, Jason Xue, Sharif Abuadbba, Raj Gaire, Shuo Wang, 
Seyit Camtepe, Surya NepalAuthors Info & Claims
Pages 78 - 86
Abstract
The daily deluge of alerts is a sombre reality for Security Operations Centre (SOC) personnel worldwide. Those on the front-lines of cybersecurity face the unenviable task of prioritising threats amongst a flood of URLs found within malicious communications. Timely detection of pertinent patterns within such URLs allows teams to deescalate threats. This has been traditionally filled with machine-learning log analysis and anomaly detection methods. Instead, we propose to analyse suspicious URLs from the perspective of malicious URL campaigns. By first grouping URLs within 311M records gathered from VirusTotal into 2.6M suspicious clusters, we thereafter discovered 77.8K malicious campaigns. From those, we found 9.9M unique URLs attributable to 18.3K multi-URL campaigns that had at least 1 URL flagged by a vendor within VirusTotal. Worryingly, our analysis shows that only 2.97% of such campaigns were detected by security vendors. We also confer insights on evasive tactics such as ever lengthier URLs and more diverse domain names, as well as case studies that expose other adversarial techniques. By characterising the campaigns driving these URL alerts, we hope to expose current threat trends, and arm the community with greater threat intelligence.
References
[1]
Neda Afzaliseresht, Yuan Miao, Sandra Michalska, Qing Liu, and Hua Wang. 2020. From logs to Stories: Human-Centred Data Mining for Cyber Threat Intelligence. IEEE Access 8 (2020), 19089–19099. https://doi.org/10.1109/ACCESS.2020.2966760 Conference Name: IEEE Access.
[2]
Mohiuddin Ahmed, Abdun Naser Mahmood, and Jiankun Hu. 2016. A survey of network anomaly detection techniques. Journal of Network and Computer Applications 60 (Jan. 2016), 19–31. https://doi.org/10.1016/j.jnca.2015.11.016
[3]
Olusola Akinrolabu, Ioannis Agrafiotis, and Arnau Erola. 2018. The challenge of detecting sophisticated attacks: Insights from SOC Analysts. In Proceedings of the 13th International Conference on Availability, Reliability and Security(ARES 2018). Association for Computing Machinery, New York, NY, USA, 1–9. https://doi.org/10.1145/3230833.3233280
[4]
Sara Albakry, Kami Vaniea, and Maria K. Wolters. 2020. What is this URL’s Destination? Empirical Evaluation of Users’ URL Reading. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems(CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–12. https://doi.org/10.1145/3313831.3376168
[5]
Kholoud Althobaiti, Nicole Meng, and Kami Vaniea. 2021. I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems(CHI ’21). Association for Computing Machinery, New York, NY, USA, 1–17. https://doi.org/10.1145/3411764.3445574
[6]
.au Domain Administration Ltd. 2021. About.au Domain Administration. https://www.auda.org.au/about-auda/about-au-domain-administration. Accessed 2021-05-24.
[7]
Australian Signals Directorate’s Australian Cyber Security Centre. 2021. Threat update: COVID-19 malicious cyber activity 20 April 2020. https://www.cyber.gov.au/sites/default/files/2020-04/ACSC-Threat-Update-COVID-19-Malicious-Cyber-Activity-20200420.pdf. Accessed 2021-05-12.
[8]
Tao Ban, Ndichu Samuel, Takeshi Takahashi, and Daisuke Inoue. 2021. Combat Security Alert Fatigue with AI-Assisted Techniques. In Cyber Security Experimentation and Test Workshop(CSET ’21). Association for Computing Machinery, New York, NY, USA, 9–16. https://doi.org/10.1145/3474718.3474723
[9]
Simon Bell and Peter Komisarczuk. 2020. An Analysis of Phishing Blacklists: Google Safe Browsing, OpenPhish, and PhishTank. In Proceedings of the Australasian Computer Science Week Multiconference(ACSW ’20). Association for Computing Machinery, New York, NY, USA, 1–11. https://doi.org/10.1145/3373017.3373020
[10]
Tim Berners-Lee, Larry M Masinter, and Mark P. McCahill. 1994. Uniform Resource Locators (URL). RFC 1738. https://doi.org/10.17487/RFC1738
[11]
Onur Catakoglu, Marco Balduzzi, and Davide Balzarotti. 2016. Automatic Extraction of Indicators of Compromise for Web Applications. In Proceedings of the 25th International Conference on World Wide Web(WWW ’16). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 333–343. https://doi.org/10.1145/2872427.2883056
[12]
Daiki Chiba, Ayako Akiyama Hasegawa, Takashi Koide, Yuta Sawabe, Shigeki Goto, and Mitsuaki Akiyama. 2019. DomainScouter: Understanding the Risks of Deceptive IDNs. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). USENIX Association, Chaoyang District, Beijing, 413–426. https://www.usenix.org/conference/raid2019/presentation/chiba
[13]
Cofense. 2022. SIEM Alerts | What is a SIEM Alert and How Does It Work?https://cofense.com/what-is-a-siem-alert/
[14]
Arijit Das, Ankita Das, Anisha Datta, Shukrity Si, and Subhas Barman. 2020. Deep Approaches on Malicious URL Classification. In 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT). IEEE, Kharagpur, India, 1–6. https://doi.org/10.1109/ICCCNT49239.2020.9225338
[15]
Lieven Desmet, Jan Spooren, Thomas Vissers, Peter Janssen, and Wouter Joosen. 2021. Premadoma: An Operational Solution to Prevent Malicious Domain Name Registrations in the.Eu TLD. Digital Threats: Research and Practice 2, 1, Article 2 (Jan. 2021), 24 pages. https://doi.org/10.1145/3419476
[16]
Federal Bureau of Investigation. 2021. Cyber Actors Exploit ’Secure’ Websites In Phishing Campaigns. https://www.ic3.gov/Media/Y2019/PSA190610. Accessed 2021-05-24.
[17]
FireEye. 2022. What is SIEM and how does it work?https://www.fireeye.com/products/helix/what-is-siem-and-how-does-it-work.html
[18]
Google. 2021. Google Safe Browsing. https://safebrowsing.google.com/. Accessed: 2021-05-24.
[19]
Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian, and Haixin Duan. 2018. How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS ’18). Association for Computing Machinery, New York, NY, USA, 1701–1713. https://doi.org/10.1145/3243734.3243840
[20]
Hang Hu, Steve T. K. Jan, Yang Wang, and Gang Wang. 2021. Assessing Browser-level Defense against {IDN-based} Phishing. In Proceedings of the 30th USENIX Security Symposium. USENIX, Online Only, 3739–3756. https://www.usenix.org/conference/usenixsecurity21/presentation/hu-hang
[21]
Martin Husák, Jana Komárková, Elias Bou-Harb, and Pavel Čeleda. 2019. Survey of Attack Projection, Prediction, and Forecasting in Cyber Security. IEEE Communications Surveys Tutorials 21, 1 (2019), 640–660. https://doi.org/10.1109/COMST.2018.2871866 Conference Name: IEEE Communications Surveys Tutorials.
[22]
Chadni Islam, Muhammad Ali Babar, and Surya Nepal. 2019. A Multi-Vocal Review of Security Orchestration. Comput. Surveys 52, 2 (April 2019), 37:1–37:45. https://doi.org/10.1145/3305268
[23]
JoeSandboxCloud. 2021. Analysis Report ubar-pro4[.]ru. https://www.joesandbox.com/analysis/229408/0/html. Accessed: 2021-05-31.
[24]
Faris Bugra Kokulu, Ananta Soneji, Tiffany Bao, Yan Shoshitaishvili, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn. 2019. Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security(CCS ’19). Association for Computing Machinery, New York, NY, USA, 1955–1970. https://doi.org/10.1145/3319535.3354239
[25]
Hung Le, Quang Pham, Doyen Sahoo, and Steven C. H. Hoi. 2018. URLNet: Learning a URL Representation with Deep Learning for Malicious URL Detection. arxiv:1802.03162 [cs.CR]
[26]
Sangho Lee and Jong Kim. 2013. WarningBird: A Near Real-Time Detection System for Suspicious URLs in Twitter Stream. IEEE Transactions on Dependable and Secure Computing 10, 3 (May 2013), 183–195. https://doi.org/10.1109/TDSC.2013.3 Conference Name: IEEE Transactions on Dependable and Secure Computing.
[27]
Chaz Lever, Platon Kotzias, Davide Balzarotti, Juan Caballero, and Manos Antonakakis. 2017. A lustrum of malware network communication: Evolution and insights. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, California, US, 788–804.
[28]
Bo Li, Phani Vadrevu, Kyu Hyung Lee, Roberto Perdisci, Jienan Liu, Babak Rahbarinia, Kang Li, and Manos Antonakakis. 2018. JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. In NDSS. Network and Distributed Systems Security (NDSS) Symposium 2018, San Diego, CA, USA, 1–15.
[29]
Yuqing Li, Wenkuan Dai, Jie Bai, Xiaoying Gan, Jingchao Wang, and Xinbing Wang. 2019. An Intelligence-Driven Security-Aware Defense Mechanism for Advanced Persistent Threats. IEEE Transactions on Information Forensics and Security 14, 3 (March 2019), 646–661. https://doi.org/10.1109/TIFS.2018.2847671 Conference Name: IEEE Transactions on Information Forensics and Security.
[30]
Yukun Li, Zhenguo Yang, Xu Chen, Huaping Yuan, and Wenyin Liu. 2019. A stacking model using URL and HTML features for phishing webpage detection. Future Generation Computer Systems 94 (May 2019), 27–39. https://doi.org/10.1016/j.future.2018.11.004
[31]
Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2011. Learning to detect malicious URLs. ACM Transactions on Intelligent Systems and Technology 2, 3 (May 2011), 30:1–30:24. https://doi.org/10.1145/1961189.1961202
[32]
Sourena Maroofi, Maciej Korczyński, and Andrzej Duda. 2020. Are You Human? Resilience of Phishing Detection to Evasion Techniques Based on Human Verification. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC ’20). Association for Computing Machinery, New York, NY, USA, 78–86. https://doi.org/10.1145/3419394.3423632
[33]
Yazid Merah and Tayeb Kenaza. 2021. Ontology-based Cyber Risk Monitoring Using Cyber Threat Intelligence. In The 16th International Conference on Availability, Reliability and Security(ARES 2021). Association for Computing Machinery, New York, NY, USA, 1–8. https://doi.org/10.1145/3465481.3470024
[34]
Najmeh Miramirkhani, Timothy Barron, Michael Ferdman, and Nick Nikiforakis. 2018. Panning for gold.com: Understanding the Dynamics of Domain Dropcatching. In Proceedings of the 2018 World Wide Web Conference(WWW ’18). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 257–266. https://doi.org/10.1145/3178876.3186092
[35]
Pejman Najafi, Alexander Mühle, Wenzel Pünter, Feng Cheng, and Christoph Meinel. 2019. MalRank: a measure of maliciousness in SIEM-based knowledge graphs. In Proceedings of the 35th Annual Computer Security Applications Conference(ACSAC ’19). Association for Computing Machinery, New York, NY, USA, 417–429. https://doi.org/10.1145/3359789.3359791
[36]
Sophos News. 2021. Nearly a quarter of malware now communicates using TLS. https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/. Accessed: 2021-05-31.
[37]
Adam Oest, Yeganeh Safaei, Adam Doupe, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. 2019. PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1344–1361. https://doi.org/10.1109/SP.2019.00049
[38]
Alina Oprea, Zhou Li, Robin Norris, and Kevin Bowers. 2018. MADE: Security Analytics for Enterprise Threat Detection. In Proceedings of the 34th Annual Computer Security Applications Conference(ACSAC ’18). Association for Computing Machinery, New York, NY, USA, 124–136. https://doi.org/10.1145/3274694.3274710
[39]
Peng Peng, Limin Yang, Linhai Song, and Gang Wang. 2019. Opening the Blackbox of VirusTotal: Analyzing Online Phishing Scan Engines. In Proceedings of the Internet Measurement Conference(IMC ’19). Association for Computing Machinery, New York, NY, USA, 478–485. https://doi.org/10.1145/3355369.3355585
[40]
Florian Quinkert, Martin Degeling, Jim Blythe, and Thorsten Holz. 2020. Be the Phisher – Understanding Users’ Perception of Malicious Domains. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security(ASIA CCS ’20). Association for Computing Machinery, New York, NY, USA, 263–276. https://doi.org/10.1145/3320269.3384765
[41]
Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. 2018. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In Network and Distributed System Security (NDSS). Network and Distributed Systems Security (NDSS) Symposium 2018, San Diego, CA, US, 1–15.
[42]
Bradley Reaves, Logan Blue, Dave Tian, Patrick Traynor, and Kevin R.B. Butler. 2016. Detecting SMS Spam in the Age of Legitimate Bulk Messaging. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks(WiSec ’16). Association for Computing Machinery, New York, NY, USA, 165–170. https://doi.org/10.1145/2939918.2939937
[43]
Martin Rosso, Michele Campobasso, Ganduulga Gankhuyag, and Luca Allodi. 2020. SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. In Annual Computer Security Applications Conference(ACSAC ’20). Association for Computing Machinery, New York, NY, USA, 141–153. https://doi.org/10.1145/3427228.3427233
[44]
Aleieldin Salem, Sebastian Banescu, and Alexander Pretschner. 2021. Maat: Automatically Analyzing VirusTotal for Accurate Labeling and Effective Malware Detection. ACM Transactions on Privacy and Security 24, 4 (July 2021), 25:1–25:35. https://doi.org/10.1145/3465361
[45]
Maria Sameen, Kyunghyun Han, and Seong Oun Hwang. 2020. PhishHaven—An Efficient Real-Time AI Phishing URLs Detection System. IEEE Access 8 (2020), 83425–83443. https://doi.org/10.1109/ACCESS.2020.2991403
[46]
Armin Sarabi and Mingyan Liu. 2018. Characterizing the Internet Host Population Using Deep Learning: A Universal and Lightweight Numerical Embedding. In Proceedings of the Internet Measurement Conference 2018(IMC ’18). Association for Computing Machinery, New York, NY, USA, 133–146. https://doi.org/10.1145/3278532.3278545
[47]
SGNIC. 2022. Singapore Network Information Center - List of Registrars. https://www.sgnic.sg/domain-registration/list-of-registrars.
[48]
Mahmood Sharif, Jumpei Urakawa, Nicolas Christin, Ayumu Kubota, and Akira Yamada. 2018. Predicting Impending Exposure to Malicious Content from User Behavior. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS ’18). Association for Computing Machinery, New York, NY, USA, 1487–1501. https://doi.org/10.1145/3243734.3243779
[49]
Toshiki Shibahara, Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, and Takeshi Yada. 2017. Detecting Malicious Websites by Integrating Malicious, Benign, and Compromised Redirection Subgraph Similarities. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), Vol. 1. IEEE, Turin, Italy, 655–664. https://doi.org/10.1109/COMPSAC.2017.105 ISSN: 0730-3157.
[50]
Xiaokui Shu, Frederico Araujo, Douglas L. Schales, Marc Ph. Stoecklin, Jiyong Jang, Heqing Huang, and Josyula R. Rao. 2018. Threat Intelligence Computing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS ’18). Association for Computing Machinery, New York, NY, USA, 1883–1898. https://doi.org/10.1145/3243734.3243829
[51]
Linhai Song, Heqing Huang, Wu Zhou, Wenfei Wu, and Yiying Zhang. 2016. Learning from Big Malwares. In Proceedings of the 7th ACM SIGOPS Asia-Pacific Workshop on Systems(APSys ’16). Association for Computing Machinery, New York, NY, USA, 1–8. https://doi.org/10.1145/2967360.2967367
[52]
Sathya Chandran Sundaramurthy, Jacob Case, Tony Truong, Loai Zomlot, and Marcel Hoffmann. 2014. A Tale of Three Security Operation Centers. In Proceedings of the 2014 ACM Workshop on Security Information Workers(SIW ’14). Association for Computing Machinery, New York, NY, USA, 43–50. https://doi.org/10.1145/2663887.2663904
[53]
Janos Szurdi and Nicolas Christin. 2017. Email typosquatting. In Proceedings of the 2017 Internet Measurement Conference(IMC ’17). Association for Computing Machinery, New York, NY, USA, 419–431. https://doi.org/10.1145/3131365.3131399
[54]
Ke Tian, Steve T. K. Jan, Hang Hu, Danfeng Yao, and Gang Wang. 2018. Needle in a Haystack: Tracking Down Elite Phishing Domains in the Wild. In Proceedings of the Internet Measurement Conference 2018(IMC ’18). Association for Computing Machinery, New York, NY, USA, 429–442. https://doi.org/10.1145/3278532.3278569
[55]
VirusTotal. 2022. VirusTotal: How it works. https://support.virustotal.com/hc/en-us/articles/115002126889-How-it-works
[56]
Liang Wang, Antonio Nappa, Juan Caballero, Thomas Ristenpart, and Aditya Akella. 2014. WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds. In Proceedings of the 2014 Conference on Internet Measurement Conference(IMC ’14). Association for Computing Machinery, New York, NY, USA, 101–114. https://doi.org/10.1145/2663716.2663742
[57]
Yury Zhauniarovich, Issa Khalil, Ting Yu, and Marc Dacier. 2018. A Survey on Malicious Domains Detection through DNS Data Analysis. ACM Comput. Surv. 51, 4, Article 67 (July 2018), 36 pages. https://doi.org/10.1145/3191329
[58]
Shuofei Zhu, Ziyi Zhang, Limin Yang, Linhai Song, and Gang Wang. 2020. Benchmarking Label Dynamics of VirusTotal Engines. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 2081–2083. https://doi.org/10.1145/3372297.3420013
[59]
Ziyun Zhu and Tudor Dumitras. 2018. ChainSmith: Automatically Learning the Semantics of Malicious Campaigns by Mining Threat Intelligence Reports. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, London, UK, 458–472. https://doi.org/10.1109/EuroSP.2018.00039
[60]
Chaoshun Zuo and Zhiqiang Lin. 2017. SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution. In Proceedings of the 26th International Conference on World Wide Web(WWW ’17). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 867–876. https://doi.org/10.1145/3038912.3052609
Index Terms
- Unraveling Threat Intelligence Through the Lens of Malicious URL Campaigns
Recommendations
Malicious Behavior Detection using Windows Audit Logs
AISec '15: Proceedings of the 8th ACM Workshop on Artificial Intelligence and SecurityAs antivirus and network intrusion detection systems have increasingly proven insufficient to detect advanced threats, large security operations centers have moved to deploy endpoint-based sensors that provide deeper visibility into low-level events ...
The challenge of detecting sophisticated attacks: Insights from SOC Analysts
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityThe ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those applying machine learning algorithms, often centre their ...
ATLAS: A Practical Attack Detection and Live Malware Analysis System for IoT Threat Intelligence
Information SecurityAbstractRecently, malware targeting IoT devices has become more prevalent. In this paper, we propose a practical ATtack detection and Live malware Analysis System (ATLAS) that provides up-to-date threat intelligence for IoT. ATLAS consists of a hybrid IoT ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2023
129 pages
ISBN:9798400709395
DOI:10.1145/3630590
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 December 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
AINTEC '23
Acceptance Rates
Overall Acceptance Rate 15 of 38 submissions, 39%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 69Total Downloads
- Downloads (Last 12 months)69
- Downloads (Last 6 weeks)1
Reflects downloads up to 21 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format