Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Slides:

Advertisements

Similar presentations

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.

Advertisements

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

Self-Correlating Predictive Information Tracking for Large-Scale Production Systems Zhao, Tan, Gong, Gu, Wambolt Presented by: Andrew Hahn.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.

School of Computer Science and Information Systems

Load Analysis and Prediction for Responsive Interactive Applications Peter A. Dinda David R. O’Hallaron Carnegie Mellon University.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

Internet Safety for Students Malicious Programs By: Mr. Bradshaw Scott City R-1 Schools.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Automated malware classification based on network behavior

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Introduction to Honeypot, Botnet, and Security Measurement

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

K. Liu, Q. Huang, J. Xia, Z. Li, P. Lostritto, Chapter 4 How to use cloud computing?, In Spatial Cloud Computing: a practical approach, edited by.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose & Andreas Terzis IMC’06.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Malware Dynamic Analysis Veronica Kovah vkovah.ost at gmail See notes for citation1

Dealing with Malware By: Brandon Payne Image source: TechTips.com.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

CHAPTER 9 Sniffing.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Web Botnet Detection Based on Flow Information Chia-Mei Chen, Ya-Hui Ou, and Yu-Chou Tsai, National Sun Yat –Sen University,IEEE 2010.

Unconstrained Endpoint Profiling Googling the Internet Ionut Trestian, Supranamaya Ranjan, Alekandar Kuzmanovic, Antonio Nucci Reviewed by Lee Young Soo.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.

Copyright © 2011, A Behavior-based Methodology for Malware Detection Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen Wang 2012/04/30.

Free, online, technical courses Take a free online course. Microsoft Virtual Academy.

BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Real-Time Botnet Command and Control Characterization at the Host Level JHEN-HUANG Gao.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.

SEMINAR - SCALABLE, BEHAVIOR-BASED MALWARE CLUSTERING GUIDES : BOJAN KOLOSNJAJI, MOHAMMAD REZA NOROUZIAN, GEORGE WEBSTER PRESENTER RAMAKANT AGRAWAL.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

JAVA PROGRAMMING Buzzwords. Simple: Less complex syntax than C++ Not as easy to design as Visual Basic Small size of interpreter.

Understand IPv6 Part 2 LESSON 3.3_B Networking Fundamentals.

Botnets A collection of compromised machines

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Botnets A collection of compromised machines

Chapter 2. Malware Analysis in VMs

Network Profiler: Towards Automatic Fingerprinting of Android Apps

Presentation transcript:

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications Conference (2012) Reporter: MinHao Wu

Outline Introduction Malware analysis and containment Protocol inference System overview Evaluation Conclusion

Introduction Dynamic analysis is a useful instrument for the characterization of the behavior of malware. The most popular approach to perform dynamic analysis consists in the deployment of sandboxes The result of the execution of a malware sample in a sandbox is highly dependent on the sample interaction with other Internet hosts. The network traffic generated by a malware sample also raises obvious concerns with respect to the containment of the malicious activity.

Malware analysis and containment

Protocol inference

System overview Traffic Collection ◦ By running the sample in a sandbox or by using past analyses Endpoint Analysis ◦ Cleaning and normalization process Traffic Modeling ◦ Model generation (two ways: incremental learning or offline) Traffic Containment ◦ Two modes (Full or partial containment)

Traffic Collection running a network sniffer while the sample is running in the sandbox. several online systems allow users to download in our experiments we limited the malware analysis and the network collection time to five minutes per sample.

Endpoint Analysis cleaning and normalizing the collected traffic to remove spurious traces and improve the effectiveness of the protocol learning phase the cleaning phase mainly consists in grouping together traces that exhibit a comparable network behavior

Traffic Modeling

Containment Phase

EVALUATION All the experiments were performed on an ◦ Ubuntu machine running ScriptGen, Mozzie, and iptables v ◦ To perform the live experiments, we ran all samples in a Cuckoo Sandbox [6] running a Windows XP SP3 virtual machine.

Results of the Offline learning Experiments Fast flus

Results of the Incremental learning Experiments

Tested samples: ◦ 2 IRC botnets, 1 HTTP botnet, 4 droppers, 1 ransomware, 1 backdoor and 1 keylogger Required network traces ranging from 4 to 25 (AVG 14) DNS lower bound (6 traces)

CONCLUSIONS The benefits of the large-scale application of similar techniques are significant ◦ old malware samples ◦ in-depth analyses of samples