Network Connectivity Graph for Malicious Traffic Dissection

Network Connectivity Graph

for Malicious Traffic Dissection

Enrico Bocchi

, Luigi Grimaudo

, Marco Mellia

, Elena Baralis

,

Sabyasachi Saha

, Stanislav Miskovic

, Gaspar Modelo-Howard

, Sung-Ju Lee

?

_{Politecnico di Torino}

_{Symantec, Corp.}

_KAIST

{

name.surname

}

@polito.it

{

name surname

}

@symantec.com

[email protected]

Abstract—Malware is a major threat to security and privacy of network users. A huge variety of malware typically spreads over the Internet, evolving every day, and challenging the research community and security practitioners to improve the effectiveness of countermeasures.

In this paper, we present a system that automatically extracts patterns of network activity related to a specific malicious event,

i.e., aseed. Our system is based on a methodology that correlates

network events of hosts normally connected to the Internet over

(i) time (i.e., analyzing different samples of traffic from the

same host), (ii) space (i.e., correlating patterns across different

hosts), and (iii) network layers (e.g., HTTP, DNS, etc.). The

result is a Network Connectivity Graphthat captures the overall

“network behavior” of the seed. That is a focused and enriched representation of the malicious pattern infected hosts exhibit, purified from ordinary network activities and background traffic. We applied our approach on a large dataset collected in a real commercial ISP where the aggregated traffic produced by more than 20,000 households has been monitored. A commercial IDS has been used to complement network data with alerts related to malicious activities. We use such alerts to trigger our processing system. Results shows that the richness of the Network Connectivity Graph provides a much more detailed picture of malicious activities, considerably enhancing our understanding.

I. INTRODUCTION

Information security over the Internet remains a primary concern for consumers, enterprises, and governments alike. Malware infiltrates and spreads over the Internet hiding its traffic among humongous benign traffic. Cyber-attackers also use sophisticated schemes to modify malware and evade de-tection by security measures. Recent industry reports disclose that existing antivirus software’s detection rate of newly crafted viruses is less than 5% [1]. This creates a de facto arm’s race between security researchers and cyber-attackers.

Practitioners in the field take different approaches to detect malware, which result in a set of methodologies ranging from instruction set and code analysis, to traffic characterization of infected hosts. For instance, a detection rule can be designed by studying the behavior of infected hosts in a controlled

environment (e.g., a honeypot). In this scenario, it is possible

to identify the communication channel with the Command and Control (C&C) network, or define signatures for proprietary and obfuscated protocols used by malicious software.

However, it is generally more complicated to obtain a complete picture of the overall malware behavior due to the evolution of malware itself to circumvent counteractions, and the lack of tools that easily extract facts related to malicious activities. Thus, to obtain a thorough and up to date picture, security specialists are called to a manual and cumbersome analysis of data produced by infected hosts in the wild.

In this paper, we present a methodology to automatically extract detailed network patterns generated by infected hosts. We consider the vantage point offered by a network where the traffic aggregate of thousands of possibly infected hosts flows.

A passive monitoring tool extracts and logs events from the

traffic. An event could be a HTTP request, a DNS response, or simply a TCP flow going to a host using an unknown protocol.

A security monitor,e.g., an Intrusion Detection System (IDS),

analyzes the traffic in parallel, and flags some of the events as malicious, according to a database of already available rules.

These flagged events are the seeds that trigger our analysis.

Given the traffic log and a seed, our system provides a set of “forensic” information to the security analyst for a better understanding of the context in which malicious events take place. Ultimately, it extracts a detailed and complete picture of the malicious activities correlated with the seed event.

Identifying the subset of events that belongs to the same activity is a challenging task as each host generates thousands of events caused by multiple applications running concurrently. For instance, the same host could visit a legitimate web page, poll the mail server, and upload files on a cloud storage service, while a malware is connecting to a C&C node that instructs victims with new malicious instructions. Furthermore, the sequence at which events appear is typically not deterministic

with randomness due to diversity (e.g., two hosts visiting the

same page can fetch objects in a different order), and system

memory (e.g., a DNS request not appearing in the traffic as

the server name has been previously resolved and cached). Our approach is based on a filtering and enrichment process that leverages (i) temporal and (ii) spatial repetitiveness of events generated by different hosts. The intuition is to look for common patterns that are present in different snapshots from the same host, and among different hosts. We explicitly go after repetitive and popular events. In practice, as few as three observations of a malicious seed are enough to trigger our

HTTP event DNS event generic TCP/UDP event click on acme.org obfuscated JS binary download email check failed DNS req. successful domC DNS req. Tra c to domC (C&C) normal browsing activity normal browsing activity email check malicious activity host tra c normal activity time failed DNS req. Tra c to domC (C&C) failed DNS req.

Fig. 1. Example of events generated by a host as seen from the network.

Graph(CG), which models only events highly correlated with the seed, and allows us to easily navigate and extract valuable information using our domain knowledge.

We start from real traffic collected in an operative network where more than 20,000 households are monitored. In a day, more than 336 M events are logged by the passive monitoring tool. A commercial IDS rises alarms for 1,700 unique mali-cious seeds, generating 42,000 events and belonging to more than 150 different threats. Out of those events, about 40,000 (95%) are processed by our system as they show the required properties of repetitiveness. For each seed, we run the filtering and enrichment process. At the end, the information offered in the final CG grows by a factor of 40, i.e., starting from a single seed, which is represented by three nodes in the CG, 160 nodes are present on average in the final CG.

Visual inspection allows us to immediately spot (i) the

ma-licious infrastructure (e.g., the presence of new C&C nodes),

(ii) malicious attacks interfering with legitimate infrastructures

(e.g., the exploitation of benign websites to force the download

of Exploit Kits), and (iii) some evasion techniques adversaries

uses (e.g., the usage of DNS fast-fluxing [2]).

The contributions of our work are as follows:

• We propose a methodology that extracts and represents

the network activity surrounding a malicious seed, which is useful to identify and derive a detailed superset of events correlated to it.

• We take a multi-layer approach that combines the

con-nectivity between different protocol layers to uncover hidden behavior and provide forensic information.

• We offer the information in the form a Network

Connec-tivity Graph, that is a straightforward means to represent the common activity of malicious incidents.

We believe that applications of the CG go beyond the simple visualization of the malicious activity. For instance, signatures of the IDS can be updated and enriched, or the CG can be used as a signature itself to design novel behavioral classifiers able to distinguish between CGs derived from malicious or benign seeds. We leave these contributions as future work.

II. METHODOLOGYOVERVIEW

Before presenting the details of our system, we provide an overview and the intuitions behind its design.

A. Scenario

We consider a scenario in which a sniffer passively monitors

the traffic generated by a large group of hosts, e.g., hosts in

Oth-UDP Oth-TCP time DNS Common Patterns Mining Host Connectivity Graph (Host-CG) Creation Observation Snapshots Extraction snapshot snapshot seed seed HTTP Host traffic

Fig. 2. Host Connectivity Graph generation.

an enterprise network, or households connected to a Point of Presence (POP) of an Internet Service Provider (ISP). The sniffer extracts information from the packets and logs them

in a file where each row corresponds to a different event. We

assume that, for each TCP and UDP connection, the sniffer logs the flow identifier, the timestamp of the first packet, the flow duration, the number of exchanged packets and bytes, etc. For some protocols, the sniffer can provide multiple events with very detailed information. For instance, it could annotate each HTTP request/response with the requested URL, user-agent, content-type, server response status code, etc.

Consider the timeline generated by a host reported in Fig. 1. It details the logged events generated by Internet applications. DNS and HTTP events are reported using specific markers, while other protocols are reported as generic TCP/UDP events.

The user is visiting some web page (e.g., acme.org) while

an email client is polling a mail server for new messages. Normal events are reported in the bottom part of the timeline. Unfortunately, acme.org is hosting a Drive-by Download page. Events on the upper part are due to the malicious activity in which the host is unknowingly fooled to download a malware from a malicious JavaScript contained in the web page. We observe the download of the JavaScript object, followed by the download of the malware. Once running at the host, the malware periodically contacts (via HTTP) a C&C server whose hostname is quickly rotated using fast-flux [2]. The periodic polling is visible in the log as a sequence of (failed and successful) DNS requests, and HTTP traffic to the C&C node. Based on the view of the traffic from all monitored hosts, we design a methodology that extracts and characterizes common network activities. The challenge is how to isolate the events that are possibly correlated with a specific malicious activity from the “background” noise caused by other events.

B. Network Connectivity Graph

Consider a seed and the timeline around it. Intuitively, close-in-time events are likely to be related to it. For instance, in Fig. 1, the DNS request followed by several HTTP requests to the acme.org server could be identified as a typical pattern. However, Drive-by Download attacks [3] can mimic or be hidden in the same behavior. To isolate them, we study snapshots of traffic that contain the specific seeds.

Fig. 2 shows the workflow used to transform the events

of a given host into a Host Connectivity Graph (Host-CG).

Three steps are executed: (i) Snapshots extraction; (ii) Per-layer common patterns mining; and (iii) Host-CG creation.

Algorithm 1 Create Network Connectivity Graph.

input args s: seed H: set of hosts

∆: snapshot duration output Seed Connectivity Graph

1: proceduregraphLayer (s, S, layer):

2: P =findCommonPattern(s, S, layer)

3: returnfromPatternsToGraph(P, layer)

4: procedurehostConnectivityGraph (s, h,∆): 5: S =getSnapshots(s, h,∆) 6: g_{HT T P} =graphLayer(s, S, ’HTTP’) 7: g_{DN S} =graphLayer(s, S, ’DNS’) 8: g_{T CP} =graphLayer(s, S, ’TCP’) 9: g_{U DP} =graphLayer(s, S, ’UDP’) 10: returnconnectLayers(g_{HT T P}, g_{DN S}, g_{T CP}, g_{U DP}) 11: procedureseedConnectivityGraph (s, H,∆): 12: Gs =∅ 13: foreachh∈H: 14: Gs ←hostConnectivityGraph (s, h,∆) 15: returnfuseGraphs(Gs)

Snapshots Extraction. For each instance of the seed, we

ex-tract asnapshotdefined as theorderedset of events occurring

in the temporal window centered at the seed. Two snapshots are presented in Fig. 2 as example.

Common Patterns Mining. We then look for commonalities

across snapshots. In particular, we look for patterns, defined

as the unordered set of events, that appear across multiple

snapshots. Intuitively, the periodic HTTP requests toward the C&C server would possibly be a repeating pattern on the HTTP-layer. On the contrary, the web browsing events asynchronously generated by the host would be present only in a small subset of snapshots.

We extract separate common patterns by processing the host

traffic considering layers in isolation. The traffic generated

on each layer corresponds to all events of a specific protocol

so that HTTP, DNS, other-TCP (i.e., all TCP communication

except HTTP on port 80), and other-UDP (i.e., all UDP

communication except UDP on port 53) events are separately analyzed. This choice originates from the fact that each proto-col has some peculiarities that we would leverage. For instance, in the HTTP layer, we are looking for common and repetitive patterns. On the DNS layer instead, a single failed DNS request may be more interesting than successful DNS requests.

Host Connectivity Graph. For each layer, we represent the common pattern as a graph where nodes and edges are specifically defined to offer a compact yet rich representation. Consider the HTTP-layer. URLs can be represented by sepa-rating server hostnames and object paths using two nodes: An edge between the hostname and the path would thus represent a URL. The resulting graph captures the website structure. For example, acme.org/index.html and acme.org/logo.png are represented with a hostname node (acme.org) and two objects nodes. Similarly, in the DNS layer, the request for acme.org is linked to the IP address(es) returned by the resolver.

i thsnapshot i+1 stsnapshot > T/2 merged snapshot i thsnapshot i+1 stsnapshot < T/2 i thsnapshot i+1 stsnapshot

Fig. 3. Snapshots creation when consecutive snapshots overlap.

As last step, we connect each per-layer graph into a final

Host Connectivity Graph. This is done by adding links across multiple layers. For instance, the acme.org hostname in the HTTP layer is linked to the same node in the DNS layer graph. The resulting graph is a rich and compact representation of the common network activity related to a specific seed and a given host. Each layer brings a specific characterization of the activity given by a protocol, resulting in an overall integration of common patterns. In the previous example, the HTTP layer highlights the common websites hosting the binary download, while the DNS layer reveals failing requests triggered before or after C&C communications. Focusing only on each activity individually would miss such relationship.

Seed Connectivity Graph. We leverage the fact that the same seed may be present in the timeline of different hosts, offering some “spatial” diversity. To have a broader view of the common activity related to a specific seed, we “fuse” multiple

Host-CGs into a single Seed Connectivity Graph (Seed-CG).

As for the common pattern, we have the freedom to choose

between a selective fusion, e.g., retaining only those common

nodes from all Host-CGs, or a permissive fusion,e.g., merging

all nodes from all Host-CGs.

III. BUILDING THECONNECTIVITYGRAPH

The key aspect of the proposed methodology is the approach used to create Network Connectivity Graphs. The pseudo-code in Alg. 1 details this procedure. This section discusses the design choice taken and the parameters to be controlled when creating a network connectivity graph.

A. Snapshots Extraction

The first step to process host traffic is the extraction of the

observation snapshots. We define parameter∆that controls the

duration of the snapshots. In particular, a snapshot is composed

by all events occurring in the interval ±∆/2centered around

the seed. In case consecutive snapshots overlap, we apply two strategies depicted in Fig. 3 to solve the conflict. If

the overlapping window lasts for more than ∆/2, the two

snapshots are merged. Otherwise, the overlap is split into two halves, each associated to a different snapshot. These

operations are executed bygetSnapshots() (Alg. 1 line:5) that

receives the seed (s), a host (h) presenting at least one instance

of the seed, and the snapshot duration (∆) as inputs. It returns

the set of snapshots (S) found.

Different values of∆can lead to different results: the larger

results in less snapshots on which to perform pattern mining, with each presenting “noisy” data since not many events are

filtered. Conversely, a small value of ∆ (e.g., seconds) might

be too conservative. In the following, we set∆= 30 minutes.

A complete sensitivity analysis is reported in Sec. V-B.

B. Common Patterns Mining

We use the frequent itemset mining technique to extract common patterns [4]. This technique works on unordered

sets of simple objects (e.g., strings). Snapshots, however,

correspond to ordered sequences of events that may appear

multiple times. We thus map each event to an itembased on

the event properties. Specifically:

• a HTTP item is represented by the HTTP URLs, e.g.,

http:// domain.com/ path/ file.ext.

• a DNS item combines the requested hostname with

either the list of returned IP addresses, or the query

response code,e.g.,DoesNotExists.com–NXDomain.

• TCP and UDP items are represented by the server IP

address and the port contacted,e.g.,10.20.30.40–443.

For each snapshot, we create a transaction containing the

set ofdistinctitems. We look for commonitemsets,i.e., sets of

items common across multiple transactions. Asupportvalue is

computed for each itemset and indicates the fraction of transac-tions containing the specific itemset. An itemset is “frequent”

if its support is greater than or equal to MinSupport. For a

given support value, the itemset presenting the highest number

of items is said to be closed. The closed attribute implies that

no other itemset made by more items has the same support.

Itemsets with a number of items smaller than MinLength

could be discarded. By settingMinLength=1, frequent itemsets

are equivalent to simple frequent items in terms of

Connectiv-ity Graph elements. ForMinLength=2, at least pairs of items

are considered. For instance, consider acme.org/index.html and acme.org/logo.png that appear in 70% and 45% of snapshots, respectively. The itemset (acme.org/index.html, acme.org/logo. png) may appear from 15% to 45% of snapshots.

Looking for all itemsets is a NP-hard problem [5], but well-known algorithms compute frequent closed itemsets efficiently. Among those, we rely on the Carpenter algorithm [6], which is specifically designed for datasets made of few transactions

(i.e., snapshots) that have a huge number of items (i.e., events).

Our system looks for frequent closed itemsets that, for

simplicity, we callpatterns. Patterns are extracted by

findCom-monPatterns() (Alg. 1 line:2), that receives the seed (s), the

set of snapshots (S) and the layer (layer) to process. It returns

the pattern (P). The pattern extraction process is guided by

the definition of the value of MinSupport, i.e., events that

do not appear with frequency of at least MinSupport are

discarded. We set MinSupport = 1/2, i.e., for each host, we

discard all events not appearing in at least half of the snapshots. Sensitivity analysis is detailed in Sec. V-B.

C. Host Connectivity Graph

As previously discussed, we individually process each layer

to create separate graphs. The graphLayer() (Alg. 1 line:1)

hostname object-path host IP HTTP DNS Oth-TCP & Oth-UDP dst-port host IP host IP

Fig. 4. Graph layers nodes and multi-layer connections.

extracts patterns for a specific layer and maps them into a graph. This mapping exploits a subset of the events properties:

• The HTTP layer has two node types: hostnames and

object paths. An edge connects the hostname and the object path to compose a URL.

• The DNS layer has three node types: server hostnames,

server IP addresses, and DNS error codes. An edge connects the hostname to either the IP addresses returned by a DNS response, or to an error code.

• The TCP and UDP layers have two node types: server

IP addresses and server ports. An edge connects the two to represent a TCP or UDP connection.

Different graph layers are combined in a single Host-CG

using hostConnectivityGraph() (Alg. 1 line:4). The function

starts by extracting the snapshots (S) related to the seed.

The snapshots are then processed to extract the graph layers (g_{HT T P}, g_{DN S}, g_{T CP}, g_{U DP}) through calls tographLayer(). The separate layers are finally integrated to form the Host-CG

using the collectLayers() function, which looks for common

nodes across the layers and links them as represented in Fig. 4.

Notice that each graph layer contains the host (h) IP address

by construction.

D. Seed Connectivity Graph

To provide the global view of the common behavior seen by observing multiple hosts, we combine all Host-CGs. This

operation is performed by theseedConnectivityGraph() (Alg. 1

line:11) function. For each host (h) among the subset

pre-senting the seed (H), the function creates the Host-CG calling

hostConnectivityGraph(). All the output graph are collected

into the set Ghosts. The graphs are finally merged using

fuseGraphs(). This operation can consider different strategies. For instance, applying a strict intersection would retain only nodes appearing in all Host-CGs. In the worst case, this results in a Seed-CG containing only the original seed. More complex strategies can instead compute nodes and links popularity

among hosts, and discard those below the threshold

MinPop-ularity. In the following, we consider the strict intersection

TABLE I. DATASET SUMMARY.

All Flagged

Class Hosts (%) Events (%) Hosts Events HTTP 16,217 (79.1) 39.7 M (11.8) 1,308 42,007 DNS 15,164 (74.1) 30.7 M (9.3) - -Other TCP 18,911 (92.31) 40.8 M (12.14) 31 1,543 Other UDP 18,032 (88.02) 224.7 M (66.87) - -Total 20,486 335.9 M 1,321 43,550 IV. DATASET

We now describe the traffic traces and tools that we use to extract information to build the dataset that we use.

A. Data Collection

We consider a vantage point located in a commercial ISP where approximately 20,000 customers are connected. Most of the customers are residential users, connected via ADSL modems to the monitored point. Each customer modem is given a static IP address, which can be used to identify all the traffic generated/destined to the same household. In the following, we generalize the term “host” to refer to traffic

exchanged by a single household (IP address).1

We consider a trace obtained live during one day in April 2012. A commercial monitoring tool processed the packets in real time to generate a text log file in which each TCP and UDP flow is logged. For each flow, a record is stored. It details the flow identifier (the tuple source/destination IP addresses, source destination ports and protocol type), the timestamp of the first packet, the total number of packets/bytes sent and received, the application-protocol used. In case protocol is HTTP, the entry is annotated with server hostname, object

path, user-agent, content-type, response status (e.g.,200 OK),

content-length directly extracted from the HTTP header[7]. In case multiple HTTP objects are fetched using the same

TCP flow (e.g., due to HTTP-persistent), multiple records are

logged. Similarly, for each DNS transaction, the tool logs the requested hostname, the set of returned IP addresses, or the

response code in case of an error (e.g., NXDomain) [8]. To

protect users privacy, sensitive information has been removed. In parallel to the monitoring tool, a commercial IDS pro-cessed the packets in real time, logging alerts if some network activity matches any rule that is present in its database. We consider the IDS as an oracle that reveals which events are to be considered malicious. For each alert, the IDS simply

specifies the flow identifier, and athreat-ID, i.e., a numerical

code that identifies a particular threat. The IDS is very con-servative in triggering alerts and hence it is possible that some malicious events do not trigger any alert. Conversely, every alert is related to some malicious activity.

B. Dataset Overview

We consider each record in the log as a differentevent. By

matching the flow identifiers, alerts are linked to records, so

1_{Given the popularity of NAT (Network Address Translation) at home, the} ADSL modem IP address identifies traffic exchanged by all devices accessing the Internet at each customer household.

0 0.2 0.4 0.6 0.8 1 1 10 100 1K 100K 6M Fract. of hosts

URL Popularity Rank All Flags

(a) Popularity of HTTP objects.

1 10 100 1 10 50 236 1783 Number of snapshots Malicious seeds (b) Snapshots per malicious events. Fig. 5. Dataset characterization. (a).Top-100 HTTP objects are whitelisted (b).Seeds generating at least 3 snapshots are processed by our system.

that records can beflaggedas malicious. We obtain thelabeled

dataset described in Table I. Overall, 20,486 hosts generated about 336 M total events over the whole day. About 20% of those are related to HTTP and DNS records, with a large majority of the “Other TCP” due to TLS/SSL (HTTPS) traffic, and “Other UDP” events due to Peer-to-Peer applications.

Among all users, 6.4% exhibit some malicious activity (i.e.,

at least one event is flagged), with 151 different threat-IDs being reported by the IDS. Yet, only 43,550 flags are raised by the IDS. That translates to a negligible 0.013% of all traffic. Most of these records correspond to HTTP traffic, with the exception of some IRC and RPC flows. This confirms on the one hand the very stealthy and low rate activity that malware is typically generating. On the other hand, it confirms the conservative design of IDS. Almost all the flags are related

to malicious HTTP activities including Exploit Kits (e.g.,

Nu-clear, Blackhole, ZeroAccess), Drive-by Downloads, Malicious

Browser Toolbars (e.g., Ask.com), Trojans and Worms (e.g.,

Skintrim, Conficker), etc.

C. Whitelisting

Whitelisting is a common technique used to both reduce the amount of information processed, and to discard data that would possibly pollute the analysis. For the same purposes, we built a whitelist that targets very popular events that would be in any CG with high probability but add little information or create noise. Instead of creating a manual list of popular

and benign events, we opt for a dynamic and context-aware

approach. We build a whitelist based on events popularity

among clients, and select the top-k elements to be ignored

during the processing. We whitelist single HTTP events and not the entire websites, as it is known that malware can be hosted and distributed also from legitimate services.

Fig. 5(a) shows the HTTP events popularity,i.e., the fraction

of hosts that accessed a given URL (with stripped parameters). Note the log scale on x-axis. Fig. 5(a) shows the classic heavy tailed popularity. Top URLs are clearly very common among most of the hosts. Those include social network buttons

(e.g., www.facebook.com/plugins/like.php), analytics services

(e.g., www.google-analytics.com/ga.js), software update check

(e.g., download.windowsupdate.com/v9/windowsupdate/redir/

muv4wuredir.cab), etc. Red triangles highlight those events that are considered malicious by the oracle. The most diffused

/hprofile−ak−snc4/565221_1492122993_467277717_t.jpg /hprofile−ak−snc4/273358_895805400_1309865551_q.jpg /poker/dynamic_assets/100/gift87_1.png /hprofile−ak−snc4/274759_100001475743630_4934220_q.jpg /poker/CasinoSnapiProxy.php /poker/casino/ajax/ZSC/GetMessageData/ /poker/casino/ajax.php /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLWFzaDIvMzY5OTE5XzEwNTk2MDA2NTBfMjU0ODIyOTkyX3EuanBn /static/fanpage/img/gossip/favicon.ico /poker/inc/ajax/liveChrome.php /b/o /hphotos−ak−ash3/561834_383177068381494_100000676125796_1208369_584924645_a.jpg /poker/client/modules/LuckyBonus008t.swf /poker/inc/ajax/openGraphEndpoints.php /login_user.php

/photos−ak−snc1/v85006/247/30713015083/app_1_30713015083_2979.gif /rsrc.php/v1/ya/r/GkSTZ3wYZBQ.png /hprofile−ak−snc4/173212_1546634717_946839939_q.jpg /rsrc.php/v1/ys/r/0VDksn8o5BR.png /poker/adapter/zgift_info.php /static/fanpage/js/fp−socialbox.js /poker//inc/ajax/ztrack_social.php /static/fanpage/img/gossip/socialcats/3397f28a49896345dd8a97aef27664d4_1273854312−50x50.jpg

/hphotos−ak−ash4/226080_237075302991672_100000676125796_778058_2105475_n.jpg /poker/dynamic_assets/as3/gift166_1.swf /poker/locale/en/img/lobbyBackgrounds/turkey0001.jpg /ajax/presence/update.php /static/fanpage/css/colorbox.css /hphotos−ak−snc7/p480x480/72556_1437003130377_1391961887_31036847_4473004_n.jpg danasrat.com /hprofile−ak−snc4/275823_1335733940_834053024_t.jpg /hprofile−ak−snc4/41661_678484760_313677665_q.jpg facebook2.poker.zynga.com /hprofile−ak−snc4/161485_100000964885703_485534086_q.jpg /poker/iframe_proxy.php /poker/locale/it/img/shouts/highscore_weeklycontest2.swf moodgum.ru

/_uploads/brief/u39103/video/5544/vulf−s_1334662854.png /css/styles_article.css /mybach.php /b/p /player_blog/static/img/bar420x257.jpg /en_US/all.js /css/styles_common.css /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/23−93977_201x113.jpg /gossipfanpage/wp−content/uploads/2012/01/i−messaggi−di−casper−smart−su−twitter.jpg gossip.fanpage.it connect.facebook.net /ads/firewall/firewall2.php 9339 www.ebuzzingvideo2.com 174.35.4.149 74.114.14.44 74.114.14.116 178.236.5.130 2.19.79.139 static.fanpage.it.s3.amazonaws.com /hphotos−ak−snc6/185218_236766699689199_100000676125796_776909_6410623_a.jpg /jennifer−lopez−senza−veli−per−spot−il−toyboy−l−ha−svecchiata/ /hprofile−ak−snc4/572691_100000262934515_165452218_q.jpg /poker/image_proxy.php/aHR0cHM6Ly9mYmNkbi1wcm9maWxlLWEuYWthbWFpaGQubmV0L2hwcm9maWxlLWFrLWFzaDIvMTc0MTY5XzEwMDAwMzU3NjI2NTM3NV8xODIwMTIzODU1X3EuanBn /poker/inc/ajax/popup_deferred_load.php cornlion.ru /javascripts/z_purchase.js /hphotos−ak−snc7/312780_278137352218800_100000676125796_915311_1551900761_s.jpg /hphotos−ak−snc7/162835_100870826657564_100002039403380_3279_7550227_n.jpg /hphotos−ak−prn1/543248_392848557414345_100000676125796_1237183_584277678_a.jpg /poker/inc/ajax/trackFriendFeed.php /poker/callback/loadMilestone.php /ajax/pagelet/generic.php/WebEgoPane /static/fanpage/js/functions.js statics.poker.static.zynga.com 74.114.14.200 ic.tynt.com /volvo.php jockesnotliked.com /js/23777651.js 174.35.6.18 /update_user.php 107.21.104.252 91.121.37.72 91.121.33.206 firewall.adlooxtracking.com /connect.php/it_IT blueberrymo.com zpay.static.zynga.com track.poker.zynga.com 67.202.66.200 /mark/26069_18 199.2.137.141 91.121.33.204 87.98.174.90 213.254.17.25 74.114.14.192 46.20.120.122 2.16.12.123 46.20.120.129 46.20.120.125 ads.lfstmedia.com /photos−ak−snc1/v27562/157/183366208380001/app_1_183366208380001_2727.gif /texas_holdem/index.php /ajax/pagelet/generic.php/PhotoViewerPagelet /texas_holdem/dmz_link_landing.php photos−c.ak.fbcdn.net /ajax/photos/photo/tags/tags_init.php /hphotos−ak−snc6/254706_236767246355811_100000676125796_776911_5097146_a.jpg /poker/server_status.php /poker/adapter/user_data.php /ajax/pagelet/generic.php/PhotoViewerInitPagelet 178.236.6.106 69.63.190.72 69.63.189.76 66.220.153.76 apps.facebook.com notify13.dropbox.com 178.236.5.129 213.254.17.95 66.220.158.72 213.254.17.23 www.google−analytics.com 173.194.35.6 173.194.35.4 173.194.35.5 173.194.35.1 173.194.35.9 173.194.35.2 cdn.optimizely.com 213.254.17.22 2.16.12.119 69.63.189.72 69.63.190.76 69.171.242.62 69.171.242.28 213.254.17.97 static.ak.connect.facebook.com /scripts/following_parser.js /hphotos−ak−snc6/164105_100870876657559_100002039403380_3282_7125869_n.jpg /poker/getStaticSet.php static.fanpage.it /static/fanpage/img/gossip/socialcats/5537d149731a7ae67a31403ab8ccb542_1273675090−50x50.jpg /ScriptResource.axd /poker/inc/ajax/luckyBonus.php /photos−ak−snc1/v85006/121/183211452517/app_2_183211452517_7537.gif adbwer.com /ajax/photos/photo/tags/tags_album.php

/zlive/zoom/latest−prod/js/zoom.js /100000002251435/picture /translate_a/st /poker/img/shouts/004_straightarrow_100.png /1155371715/picture /hphotos−ak−ash3/s320x320/524006_368384226546857_274145419304072_1066669_1925081023_n.jpg /messages/1039827183 /id /js/8094158.js /hphotos−ak−prn1/562507_392905357408665_100000676125796_1237232_2000035560_a.jpg /texas_holdem/ai.php /subscribe /static/fanpage/css/style.css /WebResource.axd

photos−g.ak.fbcdn.net /ajax/apps/usage_update.php /zbillr/javascripts/fbc_proxy_receiver.js /people−are−talking−about/l−ossessione−del−giorno/2011/07/rihanna−donna−dell−anno /static/fanpage/img/social−popup−arrow.png /1379836228/picture /sound_iframe.php /100002069787737/picture /subsite/classic1.0.htm /zlive/xpromo/xpromo.html /ajax/desktop/log_clicks.php 213.254.17.88 /hphotos−ak−snc7/s320x320/409592_2640210998587_1054900399_32483285_658182361_n.jpg graph.facebook.com tag.admeld.com /1491064533/picture /hphotos−ak−ash4/226080_237075302991672_100000676125796_778058_2105475_a.jpg /1542228796/picture /ajax/ticker.php www.facebook.com 69.171.242.13 443 /safe_image.php videosit.foxtv.es /static/fanpage/js/jquery.colorbox−min.js external.ak.fbcdn.net /fbml_static_get.php www.vogue.it /hphotos−ak−ash3/552824_392914624074405_879211169_a.jpg /px /ajax/libs/jquery/1.3/jquery.min.js 213.254.17.17 217.72.242.214 /static/fanpage/img/fb−connect.png /ajax/feed/feed_menu.php /ajax/typeahead/search/bootstrap.php /zlive/zoom/latest−prod/js/swfobject.js creative.ak.fbcdn.net /hphotos−ak−snc6/165328_100870966657550_100002039403380_3287_75996_n.jpg /hphotos−ak−ash3/p480x480/551133_258935747529234_100002384311499_581374_900259184_n.jpg /ai.php /v41818/flyers/2/40/13310379501239845211_1_697f2c4b.jpg /hphotos−ak−snc6/185298_235845599781309_100000676125796_773383_1963093_n.jpg /v41818/flyers/58/24/13276780822212003_1_6e5696a8.jpg /static/fanpage/img/gossip/socialcats/33c3703f58f47be96aa1ff74368233d5_1287501759−50x50.jpg a7.sphotos.ak.fbcdn.net /plugins/like.php /v565063/flyers/52/46/1334223236254615942_1_3c3fb34b.jpg /v41818/flyers/72/15/1305725456356678821_1_ed4f04a3.jpg /poker/join_buddy_bonus.php /favicon.ico /poker/launch.php /hprofile−ak−snc4/573689_1579380416_832259165_q.jpg /ajax/typeahead/search.php /v41818/flyers/43/56/13169419321666481769_1_6d9a0bf7.jpg /v41818/flyers/33/43/1327394312544141178_1_ee174501.jpg /hprofile−ak−snc4/158066_214249671959717_907212476_q.jpg /l.php /img/Nuvenia_nuvette.png /v41818/flyers/92/27/1327670884666156793_1_9f773eb0.jpg /dialog/oauth /ajax/desktop/promo_action.php /hphotos−ak−snc7/s320x320/320445_147841755305301_100002384311499_277577_527423870_n.jpg /hphotos−ak−ash3/166353_100870906657556_100002039403380_3284_370331_n.jpg /hphotos−ak−ash4/p480x480/396320_201272136628929_100002384311499_436878_1197544203_n.jpg /100001281214666/picture /hphotos−ak−ash4/185575_237075009658368_100000676125796_778056_1909867_n.jpg /hphotos−ak−ash4/380601_383177018381499_100000676125796_1208366_452298874_n.jpg /hphotos−ak−snc6/185218_236766699689199_100000676125796_776909_6410623_n.jpg /v565063/flyers/89/6/1334580171885480086_1_db43806e.jpg /hphotos−ak−snc6/168405_1542754974107_1391961887_31242937_5690651_n.jpg /plugins/likebox.php /atoms/d6/e5/df/64/d6e5df64c6f41855a9c5c291a1581435.swf /pixel/pxgcm /atoms/b2/ef/60/aa/b2ef60aa8eee15f6653fa9fd126a0158.swf /hphotos−ak−snc7/p480x480/387741_347783011903361_303873256294337_1576722_338016840_n.jpg /ajax/home/generic.php 69.171.242.53 /pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl a2.sphotos.ak.fbcdn.net /pagead/osd.js

/pagead/show_ads.js /AdServer/Pug 213.254.17.65 /hphotos−ak−snc7/397114_2297940533274_1391961887_31960151_2130872344_n.jpg googleads.g.doubleclick.net /pagead/ads a4.sphotos.ak.fbcdn.net /hphotos−ak−snc7/s320x320/35748_1314916158279_1391961887_30755830_7309748_n.jpg partner.googleadservices.com 80.154.79.115 /gampad/ads /hphotos−ak−snc6/168295_100870983324215_100002039403380_3288_2837125_n.jpg 80.154.79.88 80.154.79.130 80.154.79.89 173.194.35.57 213.254.17.72 /hphotos−ak−snc6/166491_100870679990912_100002039403380_3271_1256366_n.jpg pubads.g.doubleclick.net 80.154.79.97 cm.g.doubleclick.net 173.194.35.26 80.154.79.113 173.194.35.45 173.194.35.58 80.154.79.122 80.154.79.91 80.154.79.81 pagead2.googlesyndication.com 173.194.35.13 80.154.79.112 173.194.35.25 23.21.254.195 50.17.211.217 184.72.255.2 107.20.156.209 23.21.209.236 /__utm.gif /service/update2 194.244.45.210 /event 173.194.35.14 log3.optimizely.com 173.194.35.0 173.194.35.7 plusone.google.com 173.194.35.8 173.194.35.3 tools.google.com 184.73.165.150 translate.googleapis.com 157.55.231.251 66.220.146.86 193.45.15.65 a.triggit.com 193.45.15.51 zynga1−a.akamaihd.net 213.254.17.87 50.16.212.100 23.21.163.135 fbcdn−profile−a.akamaihd.net 69.171.247.80 69.63.189.70 69.63.190.70 80.154.79.105 content.yieldmanager.edgesuite.net image2.pubmatic.com s−static.ak.facebook.com urs.microsoft.com 66.220.147.38 69.171.228.21 2.19.77.177 157.55.233.123 s−static.ak.fbcdn.net 74.125.79.95 141.101.124.40 cdn.iubenda.com 173.194.35.15 ajax.googleapis.com 69.171.242.12 66.220.158.70 2.19.66.110 157.55.231.252 213.254.17.71 94.245.68.177 217.72.250.66 94.245.68.178 ssl.gstatic.com 141.101.125.40 mscrl.microsoft.com /zbar/v2/prod/promo/c9640c7f048ced93cee9f6af7ea9b232.jpg /zbar/v2/prod/promo/5065d0f2cd0fc78bcbc7aa3c54223c65.gif /img/Le_Nuove_Nuvette.gif /hphotos−ak−ash4/252972_217916978240838_100000676125796_704122_2698621_a.jpg /zbar/static/zbar/poker/static−locale/it_IT.js /message−center/xpromoTrack.php /photos−ak−snc1/v85005/166/164285363593426/app_2_164285363593426_820555261.gif /hphotos−ak−ash4/215066_236767333022469_100000676125796_776912_6410724_a.jpg /ajax/gigaboxx/endpoint/UpdateLastSeenTime.php /widgets.js /jspix /zbar/v2/prod/game/fb81eb07f135192f5d49100982241bb1.png /1/urls/count.json /dt /js/download.js /photos−ak−snc1/v85005/230/116014898445746/app_2_116014898445746_2541.gif urathfdk.com /ajax/feed/ticker/flyout.php /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSOJaE2H4hHYQzP74hlLuO41NG%2BEAQUHsWxLH2H2gJofCW8DAeEP7bP3vECEQCIlxeR%2B%2FbOSSAmjN9qCoJf /tap.phpzynga2−a.akamaihd.net /world.php

213.254.17.33 /t.gif pixel.facebook.com p.twitter.com /stats/47215_5544_638069_36984_7747_2.jpg /StageOne/Generic/AppHangB1/iexplore_exe/9_0_8112_16421/4d76255d/5f0e/135168.htm /recv.php zbar.zynga.com /common/xhr/xhr.html /zbar/v2/prod/promo/6dddf4bc376a571b83acd23be1726826.png zbar2.zynga.com / /zbar−new/zoom_data.php 89.31.74.161 /common/loader.js /common/ifpc/ifpc.js /proxy.html 213.254.17.78 platform.ak.fbcdn.net 184.75.168.152 213.254.17.32 api.zynga.com 69.171.242.30 cdn.api.twitter.com 107.22.163.197 platform.twitter.com 107.20.195.59 107.22.179.237 75.101.132.206 63.251.249.49 216.52.121.177 2.16.13.55 107.22.231.29 stat.ebuzzing.com 107.20.191.196 audit.303br.net 174.129.11.129 107.22.211.3 78.109.91.19 184.73.155.146 31.186.225.24 178.255.83.1 184.73.197.241 184.73.158.151 184.73.232.146 184.73.215.92 184.73.215.81 lloogg.com pixel.rubiconproject.com watson.microsoft.com 65.55.53.190 ocsp.comodoca.com rivergrape.com 213.254.17.80 109.74.200.119 184.75.160.202 8890 184.75.168.208 213.140.0.39 69.171.227.61 2−jv−w.channel.facebook.com /iframe/12 3−jv−w.channel.facebook.com /pullcss.vogue.it 213.140.0.45 /poker/adapter/zuser_feed.php /poker/inc/ajax/chips.php /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/21−43754_201x113.jpg /css/styles_dark.css /hphotos−ak−snc6/s320x320/165260_1504281852303_1391961887_31171518_4446658_n.jpg /css/colorbox.css /js/script_common.js /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/26−5234414_201x113.jpg 212.243.210.145 212.243.210.161 1−jv−w.channel.facebook.com 212.243.210.195 212.243.210.194 pix.lfstmedia.com 87.98.144.93 46.20.120.230 212.243.210.138 212.243.210.209 87.98.155.169 74.114.14.197 91.121.37.196 91.121.37.201 91.121.49.57 j.adlooxtracking.com 91.121.40.11 /hphotos−ak−ash3/s320x320/167094_1511012020553_6376530_n.jpg /it_IT/all.js /css/jquery.ad−gallery.css 843 /images/fb_popup/fb_popup_empty_like_button.jpg /hphotos−ak−snc7/p480x480/418513_254203174669158_100002384311499_569106_930991690_n.jpg /hphotos−ak−snc6/168926_100870946657552_100002039403380_3286_7170577_n.jpg /js/condenet/jquery.cookies.js /hphotos−ak−snc6/168095_100870739990906_100002039403380_3274_692480_n.jpg /hphotos−ak−snc7/p480x480/149161_1450288062492_1391961887_31058449_5122823_n.jpg /hphotos−ak−snc7/33820_100870809990899_100002039403380_3278_1850791_n.jpg /hphotos−ak−prn1/s320x320/30468_1314916718293_1391961887_30755836_6756993_n.jpg /hphotos−ak−ash4/s320x320/407236_2790145346852_1054900399_32556565_1399259089_n.jpg a5.sphotos.ak.fbcdn.net /hphotos−ak−ash4/s320x320/405734_2640209958561_1054900399_32483283_868894953_n.jpg scripts.vogue.it /css/colorbox−login.css /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/rihanna−3310943_201x113.jpg /hphotos−ak−snc6/185298_235845599781309_100000676125796_773383_1963093_a.jpg images.vogue.it /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/22−101501_201x113.jpg /js/jquery/jquery−1.4.1.min.js /imgs/galleries/peole−are−talking−about/ossessione−del−giorno/007999/20−2668906_201x113.jpg /js/jquery/jquery.urlEncode.js 193.45.15.10 profile.ak.fbcdn.net /hprofile−ak−snc4/260692_100000726608589_1780107603_q.jpg /hprofile−ak−snc4/161170_100002129125070_869877764_q.jpg /hprofile−ak−ash2/273330_1596731001_523860472_t.jpg 10.149.42.161

/rsrc.php/v1/yh/r/2e71hHWKLkX.png /hphotos−ak−ash3/552824_392914624074405_879211169_n.jpg 213.254.17.94 /img/rockmelt−logo.png /hphotos−ak−snc6/164070_100870786657568_100002039403380_3277_814796_n.jpg /hprofile−ak−snc4/572817_1553262724_1387094090_q.jpg /img/sfondi_del_computer_gratis.gif /hprofile−ak−snc4/161701_100001755798199_6352246_q.jpg /img/downloaded_lg.png /hprofile−ak−ash2/174160_100001205693619_1868980530_q.jpg /rsrc.php/v1/y9/r/KeqeJ6N1uam.js /hphotos−ak−prn1/560213_383177031714831_100000676125796_1208367_1998403977_a.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDkwNjBfNTMxMjQzODg5XzU1NzZfcS5qcGc= /hprofile−ak−snc4/49013_1042651996_1516452143_t.jpg /hprofile−ak−snc4/260932_1054900399_7435617_n.jpg

/photos−ak−snc1/v43/139/131394766951111/app_1_131394766951111_9896.gif bluesbars.ru photos−f.ak.fbcdn.net /v41818/flyers/49/40/1330020635284680475_1_9ef4d62b.jpg /hprofile−ak−snc4/187495_622857416_5287376_q.jpg /hprofile−ak−snc4/161772_1642887381_1054411433_q.jpg /ajax/hovercard/shown.php /ajax/log_ticker_render.php /rsrc.php/v1/yG/r/40jte7RHzIS.css /api/2/0/friends/ /photos−ak−snc1/v85006/195/194287413934599/app_1_194287413934599_990348473.gif /zbar/v2/prod/promo/75ff52b6586ba903bd8770e14fe219e5.png lhfyatqe.com /static/fanpage/css/gossip.css /hprofile−ak−snc4/157150_100000333087281_869301305_q.jpg /hprofile−ak−snc4/174144_1749634255_183741169_q.jpg /hphotos−ak−prn1/562507_392905357408665_100000676125796_1237232_2000035560_n.jpg /v565063/flyers/51/5/1334591253175796218_1_28f3b677.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTc0MDEyXzE2NTQ3NjMxOTZfOTYyNjcxMTkxX3EuanBn /hprofile−ak−snc4/41547_100003683737472_1162337856_q.jpg /hprofile−ak−snc4/173669_1518030990_3746743_q.jpg /hprofile−ak−snc4/27341_100000145360744_1167_q.jpg /hprofile−ak−snc4/161442_100002081922420_3261767_q.jpg /connect.php/css/share−button−css /hprofile−ak−snc4/174204_1419369251_1063861876_q.jpg /v565063/flyers/95/21/1332608678956388932_1_91d5573e.jpg playerstatics1.poker.static.zynga.com /hphotos−ak−snc6/165333_100870713324242_100002039403380_3273_2122562_n.jpg

/hprofile−ak−ash2/565226_1393255652_485808195_t.jpg /hphotos−ak−ash4/185575_237075009658368_100000676125796_778056_1909867_a.jpg /hprofile−ak−snc4/574005_100000420518082_1632235534_q.jpg /rsrc.php/v1/y6/r/n7OLd78dc_8.js

/rsrc.php/v1/y5/r/E5QVKTtyFOd.png /photos−ak−snc1/v27562/151/151829154838267/app_2_151829154838267_1757.gif /hprofile−ak−snc4/371771_100001654317020_1010609740_q.jpg /rsrc.php/v1/yu/r/Z8pDY0UNUO4.js 2 /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDE1NTVfMTAwMDAyNzg1MTE0MzQ3XzE2NTIzMDUzODdfcS5qcGc= /v565063/flyers/15/0/13331109291602475720_1_af1d73d0.jpg /v41818/flyers/12/21/13052912501854769801_1_b514edeb.jpg /css/theme.css /hprofile−ak−snc4/161361_100001529221773_1400922524_q.jpg /hprofile−ak−snc4/368866_100003083532122_122744866_q.jpg /rsrc.php/v1/yl/r/doKTwlK_4p−.png /s/3v0Jm8D /hphotos−ak−ash4/p480x480/401257_390370997644392_871039186_n.jpg /v41818/flyers/20/38/1328039416941196961_1_f76c8385.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTcyMzU1XzEwMDAwMTAzMTQ4NzIyNV8xMjUwODgwMzY0X3EuanBn /v41818/flyers/45/40/13319072851976627087_1_03bb43c5.jpg www.nuvette.it

/hprofile−ak−snc4/273313_100002391319490_258078382_q.jpg /call/imppix2/1614607/6067880/161296/ /hphotos−ak−ash3/s480x480/529164_124047717728019_100003683737472_117566_602560002_n.jpg /js/jquery.tools.min.js /hphotos−ak−prn1/543248_392848557414345_100000676125796_1237183_584277678_n.jpg /def/def/showdef.asp /call/pubj/23794/161296/9988/M/188733587/[target] /hphotos−ak−snc6/166471_100870846657562_100002039403380_3280_4563298_n.jpg /a/diff/431/1614607/show2.asp /js/BrightcoveExperiences.js /hphotos−ak−snc6/251107_218015671564302_100000676125796_704564_4039342_a.jpg 213.254.17.16 /api/2/0/promos2/ /www/app_full_proxy.php /pixel.gif /zbar/v2/prod/promo/10b6759227632508bdd2b98befd130f1.png /js/APIModules_all.js /photos−ak−snc1/v27562/71/291549705119/app_1_291549705119_514.gif /gampad/google_service.js /hphotos−ak−snc7/s320x320/319684_164170577005752_100002384311499_332478_1542917955_n.jpg /hphotos−ak−snc6/165340_100870689990911_100002039403380_3272_144908_n.jpg /hphotos−ak−snc6/254706_236767246355811_100000676125796_776911_5097146_n.jpg /v565063/flyers/11/12/13333849592081278675_1_4170ffde.jpg /hphotos−ak−ash4/252972_217916978240838_100000676125796_704122_2698621_n.jpg /attachments/messaging_upload.php /hphotos−ak−ash3/s320x320/560389_368385103213436_274145419304072_1066671_982264355_n.jpg /hphotos−ak−snc6/167640_100870923324221_100002039403380_3285_5112154_s.jpg /v41818/flyers/10/45/1331037950447089624_1_32ec06f3.jpg /hphotos−ak−ash3/166134_100870753324238_7546385_n.jpg /v565063/flyers/100/9/13341347411126686376_1_10e889ae.jpg /hphotos−ak−prn1/s320x320/548687_258635134225962_100002384311499_580539_1826389881_n.jpg /hphotos−ak−ash4/215066_236767333022469_100000676125796_776912_6410724_n.jpg /hphotos−ak−prn1/s320x320/523728_368382996546980_274145419304072_1066665_593235360_n.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNTczMTQwXzEwNzk0NzMwNDhfMTA0MjM0MzMwMF9xLmpwZw== /hphotos−ak−snc7/p480x480/306287_260184937404315_100002384311499_585262_464373497_n.jpg /api/2/0/counters/ /js/functions.js www.rockmelt.com /zbar/v2/prod/promo/1bccf069eaa886043321af9a5dfe808c.png /poker/image_proxy.php/aHR0cHM6Ly9mYmNkbi1wcm9maWxlLWEuYWthbWFpaGQubmV0L2hwcm9maWxlLWFrLXNuYzQvMjYwNjA4XzE0MjYyMDUzNDZfMTU5OTMxNzc1NF9xLmpwZw== /img/Agatha_Ruiz_De_La_Prada.png /call/pubj/23794/161296/9988/M/1396855733/[target] /hprofile−ak−snc4/41555_100002785114347_1652305387_q.jpg /hprofile−ak−snc4/48916_1336382160_1709951995_q.jpg static.ak.fbcdn.net 3 /hprofile−ak−snc4/49856_1179336558_3037_q.jpg /rsrc.php/v1/yH/r/1yFUVzvGflf.png /photos−ak−snc1/v85006/109/107040076067341/app_1_107040076067341_1528.gif /poker/casino/ajax/ZSC/Accept/ tiebath.ru /hphotos−ak−ash3/555479_383177088381492_100000676125796_1208370_615701503_a.jpg /hprofile−ak−snc4/174182_100001161171722_1921820198_q.jpg /photos−ak−snc1/v85005/222/365709729894/app_2_365709729894_5222.gif /hprofile−ak−ash2/49135_1495763503_5748_q.jpg /photos−ak−snc1/v27562/175/102766453114171/app_1_102766453114171_8088.gif /hphotos−ak−prn1/s320x320/26692_1314915718268_1391961887_30755825_2342829_n.jpg

/photos−ak−snc1/v85005/80/228348247236308/app_1_228348247236308_1490.gif /hprofile−ak−snc4/186344_100001005362217_1185407405_q.jpg /hprofile−ak−snc4/161259_100001879378218_6432409_q.jpg /hphotos−ak−snc6/229634_237075536324982_100000676125796_778060_7276928_a.jpg /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvMzcxMTkxXzEwMDAwMDQ4NzY0NDczMF8xOTA1NDk4ODAzX3EuanBn /photos−ak−snc1/v27562/52/2389801228/app_1_2389801228_4018.gif /wp−admin/admin−ajax.php /crossdomain.xml /poker/inc/ajax/chip_vals.php taxescell.ru /ad/N3024.5011.FOXINTERACTIVE/B6449871;sz=1x1;ord=52074038 /photos−ak−snc1/v85006/237/256051837747677/app_1_256051837747677_2325.gif /hphotos−ak−ash4/249929_218011594898043_100000676125796_704480_7768516_a.jpg /photos−ak−snc1/v85005/222/365709729894/app_1_365709729894_9467.gif photos−e.ak.fbcdn.net secure−it.imrworldwide.com /adscores/g.pixel 213.254.17.62 70.42.33.241 216.120.27.21 photos−b.ak.fbcdn.net /hprofile−ak−ash2/187086_100000363921369_6546321_q.jpg /hphotos−ak−ash3/166797_100870659990914_100002039403380_3270_2778416_n.jpg /hphotos−ak−ash4/268672_235833289782540_100000676125796_773359_3697943_a.jpg /photos−ak−snc1/v43/152/154089927959840/app_2_154089927959840_1239.gif /hphotos−ak−snc7/407905_2640210558576_1054900399_32483284_1415883070_s.jpg /js/jquery/jqueryui.js /photos−ak−snc1/v85006/39/101539264719/app_1_101539264719_2507.gif /rsrc.php/v1/yP/r/JJTbNB3NOtv.png /connect.php/js/FB.Share /hphotos−ak−snc6/163139_100870863324227_100002039403380_3281_2081965_n.jpg /poker/inc/ajax/profile_popup.php /hprofile−ak−snc4/186535_1052265436_6807914_q.jpg /hphotos−ak−prn1/562722_393219950710539_100000676125796_1237622_2143092417_a.jpg tamqpcmcy.com /hphotos−ak−prn1/535515_392905437408657_100000676125796_1237233_741496854_a.jpg /cgi−bin/m /photos−ak−snc1/v85005/244/65108332792/app_1_65108332792_9404.gif /hphotos−ak−snc7/396287_300691336648184_100001219593333_890976_1023031451_n.jpg /hphotos−ak−ash4/407661_337379306294604_100000676125796_1087240_1926487984_n.jpg /rsrc.php/v1/yl/r/cN5zKudwrmb.css /hphotos−ak−snc6/284142_235833409782528_100000676125796_773360_6339820_a.jpg 213.254.17.8 adadvisor.net /poker/image_proxy.php/aHR0cDovL3Byb2ZpbGUuYWsuZmJjZG4ubmV0L2hwcm9maWxlLWFrLXNuYzQvNDE1NTVfMTAwMDAyNzg1MTE0MzQ3XzE2NTIzMDUzODdfbi5qcGc= /poker/img/shouts/003_threesco_100.png /static/fanpage/img/gossip/socialcats/e2b11d959bce053c90de466604ed28a1_1318858190−50x50.jpg /poker/inc/ajax/amazing_ideas.php /hprofile−ak−snc4/48897_100001281214666_1095838380_q.jpg janpollj.com a8.sphotos.ak.fbcdn.net photos−d.ak.fbcdn.net /hphotos−ak−snc7/s320x320/76027_1450285062417_1391961887_31058442_1557303_n.jpg photos−h.ak.fbcdn.net /hphotos−ak−snc6/284142_235833409782528_100000676125796_773360_6339820_n.jpg /viewad/954669/1−inv.gif /hphotos−ak−ash4/380601_383177018381499_100000676125796_1208366_452298874_a.jpg photos−a.ak.fbcdn.net 213.254.17.86 /imp 217.163.21.37 80.154.79.138 80.154.79.137 217.163.21.36 ac.tynt.com 91.103.139.3 91.103.140.2 /J−LO−SENZA−VELI 91.103.138.62 69.58.188.40 bit.ly 217.163.21.39 217.163.21.41 217.163.21.40 217.163.21.34 /hphotos−ak−ash4/s480x480/305686_124047664394691_100003683737472_117565_1405113608_n.jpg 80.154.79.106 /gampad/google_ads.js 80.154.79.73 a1.sphotos.ak.fbcdn.net 80.154.79.104 80.154.79.107 /aclk 80.154.79.131 80.154.79.136 80.154.79.72 80.154.79.82 80.154.79.128 80.154.79.139 80.154.79.74 217.163.21.35 217.163.21.38 /hphotos−ak−snc6/167762_100870886657558_100002039403380_3283_6414957_n.jpg a3.sphotos.ak.fbcdn.net /st /hphotos−ak−snc6/162760_100870769990903_100002039403380_3276_6683956_n.jpg www4.smartadserver.com ad.yieldmanager.com ads.bluelithium.com admin.brightcove.com 213.254.17.55 91.103.138.65 213.254.17.9 184.73.193.109 184.73.215.73 184.73.215.91 184.73.215.88 69.58.188.39 184.73.215.87 184.73.155.139 184.73.212.52 184.73.212.0 184.73.156.195 184.73.155.122 184.73.155.177 184.73.156.206 184.73.188.162 184.73.215.96 184.73.204.178 184.73.215.82 184.73.157.171 184.73.215.93 184.73.214.31 s0.2mdn.net 213.254.17.15 ad.doubleclick.net 212.239.41.101 173.194.35.28 213.254.17.31 173.194.35.27 173.194.35.60 173.194.35.59 nav3.poker.zynga.com /hphotos−ak−snc6/200221_1622881977232_1391961887_31364215_2612460_n.jpg /hphotos−ak−ash3/555577_3351311235158_1640208996_2619594_1199453245_n.jpg /_tracker/569 193.45.15.33 /hphotos−ak−prn1/535462_383177051714829_100000676125796_1208368_406060946_a.jpg 213.254.17.96 /images/shim.gif /hphotos−ak−snc6/251107_218015671564302_100000676125796_704564_4039342_n.jpg /hphotos−ak−ash4/407661_337379306294604_100000676125796_1087240_1926487984_a.jpg /activityi;src=954669;type=nuven191;cat=landi232;ord=4044130197191.0083 /hphotos−ak−ash3/555479_383177088381492_100000676125796_1208370_615701503_n.jpg 213.254.17.57 fls.doubleclick.net /photos−ak−snc1/v85005/166/164285363593426/app_1_164285363593426_1385.gif /hphotos−ak−snc6/167640_100870923324221_100002039403380_3285_5112154_n.jpg /hphotos−ak−snc7/163213_100870566657590_100002039403380_3264_2479830_n.jpg /hphotos−ak−prn1/560213_383177031714831_100000676125796_1208367_1998403977_n.jpg /link/link.php /js/jquery/jquery.easing.compatibility.js /hphotos−ak−ash4/249929_218011594898043_100000676125796_704480_7768516_n.jpg /photos−ak−snc1/v27562/175/102766453114171/app_2_102766453114171_8233.gif a6.sphotos.ak.fbcdn.net akamai.smartadserver.com 212.243.210.168 /ads/js/tfa_ebuzz_creaebz.js 212.243.210.136 212.243.210.201 212.243.210.144

(a) Initial graph from a single snapshot.

moodgum.ru bluesbars.ru taxescell.ru tiebath.ru cornlion.ru adbwer.com janpollj.com danasrat.com urathfdk.com lhfyatqe.com tamqpcmcy.com Server Failure Non−Existent Domain 74.142.229.4 173.25.6.247 64.4.23.165 157.55.130.155 157.56.52.34 40034 40025 40030 40021 /world.php / rivergrape.com 60.13.186.5 108.174.53.11 /mybach.php 111.221.77.149 40016 40001 213.199.179.149 40004 157.55.56.149 157.55.235.160 157.55.56.160 65.55.223.37 65.55.223.30 157.56.52.38 111.221.74.38 157.55.130.140 40017 40028 40047 443 173.194.35.29 chatenabled.google.com 173.194.35.61 b.mail.google.com 28326 195.164.49.134 194.204.51.27 80.80.150.135 12345 33033 26567 Host_1 10425 173.194.35.180 173.194.35.50 173.194.35.144 173.194.35.51 173.194.35.177 173.194.35.148 173.194.35.179 173.194.35.176 173.194.35.178 www.google.com accounts.google.com www.gstatic.com ssl.gstatic.com www.gmail.com mail.google.com pop.gmail.com 62.149.152.152 199.2.137.141 74.125.79.108 jockesnotliked.com 74.125.79.109 /volvo.php blueberrymo.com pop3s.certmail.arub.net 192.150.14.174 209.85.148.84 173.194.35.47 173.194.35.53 2.19.66.110 hl2rcv.adobe.com 995 s−static.ak.facebook.com 173.194.35.49 173.194.35.147 173.194.35.52 173.194.35.145 173.194.35.48 173.194.35.146

(b) Host-CG of a single client.

/mybach.php blueberrymo.com /volvo.php jockesnotliked.com 199.2.137.141 danasrat.com adbwer.com moodgum.ru bluesbars.ru tiebath.ru taxescell.ru cornlion.ru Host_2 Host_3 Host_1 janpollj.com urathfdk.com tamqpcmcy.com lhfyatqe.com Server Failure Non−Existent Domain 108.174.53.11 216.144.250.123 /world.php 217.52.202.71 rivergrape.com 60.13.186.5 (c) Final Seed-CG.

Fig. 6. Evolution of Network Connectivity Graphs at several steps of our methodology. The event under study http://jockesnotliked.com/mybach.php is reported as malicious by our oracle. Three clients are flagged for this event: Two generate two analysis snapshots each, while the third client generates eight snapshots.

type of attack - a Drive-by Download threat - infects about 800 hosts (3.8% of hosts). The huge tail confirms the intuition that most of URLs are accessed by few hosts only. We conservatively compile a whitelist made of the Top-100 HTTP events, which equivalently filters those events that are common to more than 23% of hosts. This avoids blurring the common pattern mining and reduces the itemset extraction time, despite not affecting the descriptiveness of CGs.

V. CONNECTIVITYGRAPHCHARACTERIZATION

We next evaluate the benefits and properties of CG creation. We first identify the amount of events eligible of becoming seeds. Recall that our methodology requires a recurrence of seeds over time and over population. The requirement matches basic properties of malicious activities, such as recurrent re-porting to the C&C center or recurrent attempts to identify new victims. For this reason, we expect that malware distributors would try to disguise such repetitiveness as much as possible. In our dataset we found 820 malicious hosts that had only one flagged event. If analyzed in isolation (on per host basis), these events would not have any recurrence.

Fig. 5(b) reports the number of snapshots that can be associated to each unique malicious event. By considering 1,783 unique malicious events, we found that 236 events can be uniquely associated to at least three independent

snap-shots. Setting MinSnapshots=3, these events become fully

characterizable by our system. In fact, looking at the absolute numbers, we can provide insights for 95% of the malicious snapshots in our dataset (40k out of 42k events).

A. Connectivity Graph construction steps

In Fig. 6, we present an example of the Network Connec-tivity Graph evolution according to the steps of the method-ology described in Sec. III. We consider the malicious seed

http:// jockesnotliked.com/ mybach.php.

•Fig. 6(a) shows the network traffic produced by a host during

a single 30 minute snapshot centered on the seed. Obviously, this graph is very difficult to interpret.

•Fig. 6(b) presents the Host-CG of one of the three clients (red

marker in the center) involved in the malicious activity. Despite being already clearer and understandable with little effort, it still contains some nodes related to ordinary user’s behavior

that are not part of the malicious activity. For instance, HTTPS and POP3 Secure transactions on the TCP layer (light green circles in bottom-right part) are related to mail exchange and login to Google services, while flows over UDP (olive green circles in upper part) are mostly directed to the Skype service.

• Fig. 6(c) corresponds to the final Seed-CG generated by

our system when fusing the Host-CG of three different hosts. It is now much easier to identify the events involved in the suspicious activities. Events highlighted by red edges are those considered malicious by our oracle. The richness of the provided indications stems from the augmented context that we provide about these clients. First, the clients access three URLs (blue hexagons) hosted by three hostnames (orange circles) all of which now become an indication of a suspicious infrastructure. Next, two of the contacted

hostnames (jockesnotliked.comandblueberrymo.com) use the

same IP address (gray diamonds) suggesting for a potential obfuscation by hostname flipping and resources reusage, both common practices among malicious adversaries. The third

hostname (rivergrape.com) is distributed over several mirrors

whose IP addresses belong to very different subnets, a hint of cheap infrastructure or zombies that were previously infected by the malware. Finally, the right side of Fig. 6(c) shows another layer of information indicating multiple failures of DNS queries (purple boxes). This reaffirms our suspiciousness. Apart from providing more context for the malicious activ-ity, our system discovers new malicious objects and improves the flagging consistency of our oracle IDS. For example, the

object bluberrymo.com/ volvo.php is consistently included in

malicious graphs, while the IDS occasionally missed it. Our

system also discovered a new object rivergrape.com/ world.

php, and we confirmed its maliciousness across several other

security tools such as VirusTotal.2

B. Impact of Pattern Filtering

We study the volume of information that Seed-CG creation process extracts from single seeds. Table II shows the average number of nodes included in the final Seed-CGs. Three sets of parameters are reported, from a very selective common pattern

TABLE II. AVERAGE NUMBER OF NODES FOR DIFFERENT TYPES AMONGSEED-CGS WITH∆= 30MIN.

Type c1 c2 c3 Object-path 6.6 14.9 2351.4 Hostname 7.0 16.8 691.5 Server IP 19.9 95.9 3423.0 Dst-port TCP 0.2 0.5 79.9 Dst-port UDP 2.0 27.8 1335.1 DNS error 0.3 2.4 40.4 Total 36.0 158.4 7921.5 c1 ={MinSupport=1, minPopularity=1} c2 ={MinSupport=0.5, minPopularity=1} c3 ={MinSupport=0, minPopularity=0} 0 50 100 150 200 250 1s 5s 10s 30s 1 5 10 15 20 25 30 35 40 45 50 55 60 Number of Nodes

Snapshot Size ∆ [min] Object Path Hostname Server IP TCP_DSTPort UDP_DSTPort DNS failures Total

Fig. 7. Average amount of nodes in Seed-CGs with different snapshot sizes.

filtering such as c1 = {MinSupport=1, minPopularity=1},

which selects only the objects that appear in all snapshots

and for all hosts, to c3 ={MinSupport=0, minPopularity=0},

which instead merges and fuses all patterns independently of

their support and popularity. c2 ={MinSupport=0.5,

minPop-ularity=1}is the suggested default parameter setting. Results clearly show that starting from a single event, the proposed methodology builds graphs with hundreds of nodes. Note how the number of elements grows consistently

when selecting less restrictive thresholds forMinSupportand

minPopularity. The number of elements is indeed very large for c3, where thousands of nodes are included in the CGs. This hurts the amount of information offered to the security analyst (see Fig. 6(a) for instance). c2 offers a good trade-off between descriptiveness and richness of the final CG.

Fig. 7 shows the average number of nodes in Seed-CGs

according to the selected snapshot size, ∆, for the parameter

set c2. As expected, CGs contain only the seed event and few

other nodes when selecting small ∆, e.g., lower than 1 min.

On the other hand, the number of nodes increases with the snapshot size, peaking at more than 200 nodes on average with a 60 min snapshot. Interestingly, the number of object-paths

and hostnames does not increase dramatically with higher∆,

proving the effectiveness of the Common Patterns Mining technique. The only node type showing higher inflation is the Server IP address, owing to malicious activities poking benign infrastructures hosted on Content Delivery Networks (CDNs).

VI. CONNECTIVITYGRAPHEXAMPLES

In the following, we provide some examples of CGs cover-ing several typologies of malware found in our dataset, each presenting different behaviors and network patterns.

A. Cycbot Backdoor Activity

173.194.35.148 173.194.35.18 74.125.232.112 173.194.35.147 173.194.73.104 173.194.35.19 173.194.35.17 173.194.35.146 173.194.35.20 74.125.232.115 74.125.232.113 173.194.73.105 173.194.35.144 173.194.35.180 74.125.232.116 173.194.35.177 173.194.73.99 173.194.35.179 74.125.232.114 173.194.73.147 173.194.35.145 /n09230945.asp cmyip.com whatismyip.com automation.whatismyip.com www.ipaddrs.com / 173.194.73.103 173.194.35.178 173.194.35.176 173.194.73.106 www.google.com 173.194.35.16 23.20.103.142 72.233.89.20 72.233.89.198 72.233.89.199 174.132.254.58 96.9.175.154 72.233.89.197 skteg9pc.phonegamescatalog.com kve9.yourstarportal.com 7n3.phonegamescatalog.com hap0jyqb.remarkreddomas.com mo3go64lg4.remarkreddomas.com 9en−c7u.remarkreddomas.com qe6−x.yourstarportal.com

cdn.adventofdeception.com rqr7h97w.yourstarportal.com

g−eyvim.onlinepdahelpforyou.com qov9w2.remarkreddomas.com lmfsi10.remarkreddomas.com hddqs0−−s.onlinepdahelpforyou.com k−6w7d.onlinepdahelpforyou.com 188.93.212.36 213.239.234.118 208.91.197.7 ow9p.remarkreddomas.com wob320ikut.transfersakkonline.com ecv5ryhdsr.transfersakkonline.com gzsaqw.transfersakkonline.com 204.45.86.130 92.242.132.21 e1rf5q6.transfersakkonline.com 8g285ov.transfersakkonline.com qv0lp22mii.transfersakkonline.com eou2.transfersakkonline.com sbjdzd5dz.transfersakkonline.com 3mgcay8iy.transfersakkonline.com xlnbcn.transfersakkonline.com 6eogoqf5.transfersakkonline.com _{b564ze91.yourstarportal.com} saz1t.transfersakkonline.com kcng4s5p.remarkreddomas.com

9zu51.faststorageonline.com yy2.remarkreddomas.com fyd8mr.remarkreddomas.com 4xwcd0.phonegamescatalog.com 4sna6.remarkreddomas.com bnyxz.yordataarchive.com moae39j4yw.yordataarchive.com iyfo4y6k.phonegamescatalog.com 2gw1z.phonegamescatalog.com 1qlw44pqb9.phonegamescatalog.com 1whqxnpz6c.regremotehelper.com j5fzqqj.yourstarportal.com y1g−.phonegamescatalog.com eafdm.phonegamescatalog.com _{o2sdz9.remarkreddomas.com} ea76fqyb.transfersakkonline.com 11izic.remarkreddomas.com zqoa3vq.remarkreddomas.com 5lu85j.wwwmp3archives.com q079d.yourstarportal.com cj8a.faststorageonline.com

t8jrtt.remarkreddomas.com modh.yordataarchive.com 7inudgej.faststorageonline.com Host_5 Host_6 Host_1 Host_2 Host_4 Host_3

ywkalo.phonegamescatalog.com vpb.phonegamescatalog.com nbfg613d.phonegamescatalog.com 750zbb.phonegamescatalog.com z7q8jm.phonegamescatalog.com h4l8.phonegamescatalog.com ww6e5tf.phonegamescatalog.com ii8bv.remarkreddomas.com isvfpyb0.yordataarchive.com vcgq0e.remarkreddomas.com oag6p.remarkreddomas.com 2a0z92bijs.wwwmp3archives.com _{94gs5b.yourstarportal.com} 96r.remarkreddomas.com i9cp.transfersakkonline.com 28cybg8bda.faststorageonline.com p−pqnlfpz.transfersakkonline.com /logo.png p09p168sq3.transfersakkonline.com c88s50.transfersakkonline.com edq66e5.wwwmp3archives.com cstyinab.transfersakkonline.com −vymjgf5ar.yourstarportal.com c9hkx.transfersakkonline.com zfts−5y9e.yourstarportal.com d2−2qnyhf7.remarkreddomas.com

0ztlo4jnv.yourstarportal.com 0ksr7pre.remarkreddomas.com qvfzc4nbt.remarkreddomas.com

pcxx.remarkreddomas.com

Fig. 8. CG for Cycbot Backdoor Activity backdoor trojan. Notice thefast-flux domain name shuffling (orange circles in lower-left part), and the IP address detection webpages (top-right) to assess victims’ reachability.

Cycbot is a backdoor trojan that allows cyber-criminals to access infected computers remotely. This causes victims’ hosts to be exploited by malicious adversaries for large-scale attacks, and to potential leakages of personal sensitive information.

Fig. 8 shows the CG of the event*/ logo.pngfor which our

oracle raises an alarm. Interestingly, more than 80 hostnames

seem to serve the malicious file logo.png (cloud of orange

circles in Fig. 8). All those hostnames have a third-level domain name exhibiting random strings that are made of both characters and numbers, and are hard to code with regular

expressions. This technique, known asfast-flux, allows

attack-ers to hide malicious infrastructures by generating hostnames that are registered to the DNS and lately removed with a high frequency. This makes the detection harder, circumvents blacklisting, and guarantees a longer reachability to the infras-tructure. Considering only second-level domains, the number of hostnames drops to 10, each presenting an appealing name

acting as a lure for potential victims, e.g., faststorageonline.

com,phonegamescatalog.com,wwwmp3archives.com, etc. The entire set of domain names is hosted on few servers, heading to 5 IP addresses. Those IPs are not organized in a structured CDN and do not belong to the same subnet, suggesting for the usage of infected machines scattered in the network.

The right part of Fig. 8 includes some benign objects. While those may seem false positives, this is not the case. Looking closer at the top of Fig. 8, it is easy to realize that contacted websites host services aimed at the discovery of the public IP address of the host. Such behavior is coherent considering the intent of the malware we are facing. Being a backdoor trojan, the infected client has to be reachable by the

cyber-criminals, but connectivity issues, e.g., hosts behind NATs

Looking at the bottom-right part of the CG, we observe that the malware is checking Internet connectivity by visiting the

www.google.com homepage, another test run by the malware to gather connectivity properties of the victim.

B. Downloader.Dromedian Communication rad.msn.com cantst0pmenever2287.net geta11y4214ouhave.net cantst0pmenever.net /ADSAdClient31.dll Non−Existent Domain 173.194.35.180 173.194.35.176 173.194.35.145 173.194.35.179 173.194.35.147 173.194.35.148 173.194.35.177 208.73.210.29 94.245.117.45 94.245.117.47 173.194.35.146 173.194.35.178 173.194.35.144 cantst0p24menever22.net Host_2 /webhp /run/fox.php www.google.com Host_1

Fig. 9. CG for Downloader.Dromedian Communication trojan horse. Notice the presence of legitimate nodes being contacted by malware.

Downloader.Dromedan is a trojan horse that runs silently on the victim’s host, downloading and putting in execution additional threats. This malware connects to remote malicious infrastructures and C&C networks in order to fetch and execute additional malware and potentially unwanted programs (PUP). In most cases, it causes the redirection of ordinary web surfing traffic to malicious websites through the installation of toolbars in web browsers. Such toolbars force the user to visit certain contents in order to generate profit for malicious attackers.

Fig. 9 shows the CG of the malicious event

cantst0p24menever22.net/ run/ fox.php, which triggers the alarm related to the Downloader.Dromedian in our reference IDS. Two clients are infected and, in addition to the seed

(red arrows), they both connect to www.google.com/ webhp

repeatedly. While the Google webpage is not malicious per se, it is caused to frequently appear due to PUPs related to Conduit search hijacker. Several unwanted toolbars like Delta Search Toolbar, Social Search Toolbar, and Internet Helper Toolbar are related to Conduit search, and cause Google Webhp redirects by hijacking the browser settings. Looking at the top-right part of the CG, infected clients query three hostnames causing an error at the DNS resolver side, owing to the fact that the two exploited hosts try to connect to the remote malicious infrastructure. Our suspiciousness on such event is reinforced by the similarity of the queried hostnames

with the successful one (i.e., cantst0p24menever22.net), and

by the presence of numbers interleaving characters with a random fashion, possibly trying to avoid blacklisting.

C. Mass Injection Website

The Mass Injection Website attack does not target the host of the victim directly, but leverages vulnerabilities of legitimate

www.theuticashale.com 64.202.189.170 /wp−content/themes/spectrum/instal/file.php theuticashale.com themarcellusshale.com 50.63.208.1 www.jlabmag.com /modules/mod_wdbanners/instal/file.php advantageclubrockford.com 184.168.203.1 67.205.50.171 66.147.240.173 hannaoverstock.com www.creativelayer.net 74.220.215.92 69.89.31.198 www.tindellpictures.com thegenieslamp.net 72.167.2.1 208.109.78.122 /test_blog/wp−content/themes/instal/file.php /wp−content/themes/headlines/instal/file.php www.radburnd.com /wp−content/themes/desk−mess−mirrored/instal/file.php www.symzer.com Host_1 /hey/wp−content/themes/instal/file.php 208.109.14.25 Host_2 cuteasabargain.com 72.167.232.149 sotobetawi.com itjustdawnedonme.com 97.74.144.115 173.245.60.16 72.167.3.128 ashishpal.com 173.245.61.81 /wp−content/uploads/instal/file.php bloggasaurus.com Server Failure stecdon.ru 97.74.141.1 enabler−actris.ru /wp−content/instal/file.php pastro.ru Non−Existent Domain

Fig. 10. CG for Mass Injection Website attack. Notice all URLs containing “wp-content”, suggesting for a WordPress vulnerability being exploited my malicious adversaries. Victims are forced in a redirection chain through websites hosting Exploit Kits.

websites to inject malicious scripts and hiddeniframes. In turn,

users visiting compromised websites are victims of a redirec-tion chain that forces them to visit third-party websites hosting Exploit Kits. Such Exploit Kits target potential vulnerabilities at the client side so that once the victim lands on the effective Exploit Kit, her machine gets infected as well.

Fig. 10 shows the network behavior of two hosts being victims of the Mass Injection exploitation. Our oracle

con-siders malicious only the seedbloggasaurus.com/ wp-content/

instal/ file.php but our CG is populated with other URLs all

terminating with /instal/ file.php. Interestingly, many of those

URLs also include the substring wp-content, suggesting for

an exploited vulnerability in the WordPress blogging tool. Our suspiciousness is confirmed by the fact that both victim hosts exhibit the same identical behavior towards all the URLs depicted in the CG. The volume of issued requests is identical, and, considering the contacted URLs in a temporal sequence,

it is possible to clearly spot repeated patterns over time, i.e.,

both hosts visit other URLs in a deterministic way. Moreover, such web pages host different kinds of content, ranging from newscast to music festivals and healthcare. Thus, it is almost impossible that two users visit the same pages, the same number of times, in the same order. This confirms the ongoing automated webscan the user is not aware of.

VII. RELATED WORK

The increased ability of malware to spread and infect computers has led to vast amounts of research attempting to identify malware using the network traffic they generate. The work here presented is related to malware detection through graph-based approaches, and multi-protocol traffic correlation.

Graph-based Malware Detection: In [9], the authors build a bipartite graph consisting of domain names of failed DNS queries and host issuing such queries. The intuition is that host infected by the same malware usually query for the same (or similar) set of domain names. Similarly, [10] proposes to build a relationship graph based on DNS historical data.