MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic
share
In this paper, we present MORTON, a system that identifies compromised enterprise devices (bots) without relying on malicious domain name detection. To achieve this goal, MORTON processes DNS requests made by enterprise devices in order to identify routine communication to disreputable host names. With its compact representation of the input data and use of efficient signal processing and a neural network for classification, MORTON is designed to be accurate, robust, and scalable. We evaluate MORTON using a large dataset of corporate DNS logs and compare MORTON to two recently proposed systems aimed at detecting malware communication. The results demonstrate that while MORTON's accuracy is comparable to that of the two systems for beaconing detection, it outperforms the systems in terms of its ability to detect sophisticated bot communication techniques such as multi-stage channels, as well as its robustness and efficiency. MORTON was also deployed to monitor real-world DNS traffic made by nine world-wide enterprise over the course of 30 days. The real-world results include previously unreported threats, and a low false positive rate, thus demonstrating the effectiveness of MORTON for real-world, unlabelled environments.
READ FULL TEXT