MADE: Malicious Activity Detection in Enterprises

Enterprises are targeted by various malware activities at a staggering rate. To counteract the increased sophistication of cyber attacks, most enterprises deploy within their perimeter a number of security technologies, including firewalls, anti-virus software, and web proxies, as well as specialized teams of security analysts forming Security Operations Centers (SOCs).

In this paper we address the problem of detecting malicious activity in enterprise networks and prioritizing the detected activities according to their risk. We design a system called MADE (Malicious Activity Detection in Enterprises) using machine learning applied to data extracted from security logs. MADE leverages an extensive set of features for enterprise malicious communication and uses supervised learning in a novel way for prioritization, rather than detection, of enterprise malicious activities. MADE has been deployed in a large enterprise and used by SOC analysts. Over one month, MADE successfully prioritizes the most risky domains contacted by enterprise hosts, achieving a precision of 97% in 100 detected domains, at a very small false positive rate. We also demonstrate MADE's ability to identify new malicious activities (18 out of 100) overlooked by state-of-the-art security technologies.