@inproceedings{8113f8561f6f446f863da3b85e949955,
title = "MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic",
abstract = "We present MORTON, a method that identifies compromised devices in enterprise networks based on the existence of routine DNS communication between devices and disreputable host names. With its compact representation of the input data and use of efficient signal processing and a neural network for classification, MORTON is designed to be accurate, robust, and scalable. We evaluate MORTON using a large dataset of corporate DNS logs and compare it with two recently proposed beaconing detection methods aimed at detecting malware communication. The results demonstrate that while MORTON {\textquoteright}s accuracy in a synthetic experiment is comparable to that of the other methods, it outperforms those methods in terms of its ability to detect sophisticated bot communication techniques, such as multistage channels. Additionally, MORTON was the most efficient method, running at least 13 times faster than the other methods on large-scale datasets, thus reducing the time to detection. In a real-world evaluation, which includes previously unreported threats, MORTON and the two compared methods were deployed to monitor the (unlabeled) DNS traffic of two global enterprises for a week-long period; this evaluation demonstrates the effectiveness of MORTON in real-world scenarios where it achieved the highest F1-score.",
keywords = "Botnet, DNS, Neural networks, PSD",
author = "Yael Daihes and Hen Tzaban and Asaf Nadler and Asaf Shabtai",
note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 26th European Symposium on Research in Computer Security, ESORICS 2021 ; Conference date: 04-10-2021 Through 08-10-2021",
year = "2021",
month = jan,
day = "1",
doi = "https://doi.org/10.1007/978-3-030-88418-5_35",
language = "American English",
isbn = "9783030884178",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Science and Business Media Deutschland GmbH",
pages = "736--756",
editor = "Elisa Bertino and Haya Shulman and Michael Waidner",
booktitle = "Computer Security – ESORICS 2021 - 26th European Symposium on Research in Computer Security, Proceedings",
address = "Germany",
}