Unsupervised learning techniques for malware characterization

Abstract

This article details data science research in the area of Cyber Threat Intelligence applied to a specific type of Distributed Denial of Service (DDoS) attack. We study a DDoS technique prevalent in the Domain Name System (DNS) for which little malware have been recovered. Using data from a globally distributed set of a passive collectors (pDNS), we create a statistical classifier to identify these attacks and then use unsupervised learning to investigate the attack events and the malware that generates them. The first known major study of this technique, this work demonstrates that current attacks have little resemblance to earlier published descriptions and identifies several features of the attacks. Through a combination of text and time-series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small.