Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Published byAnis Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications."— Presentation transcript:

1 Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications Conference (2012) Reporter: MinHao Wu

2 Outline Introduction Malware analysis and containment Protocol inference System overview Evaluation Conclusion

3 Introduction Dynamic analysis is a useful instrument for the characterization of the behavior of malware. The most popular approach to perform dynamic analysis consists in the deployment of sandboxes The result of the execution of a malware sample in a sandbox is highly dependent on the sample interaction with other Internet hosts. The network traffic generated by a malware sample also raises obvious concerns with respect to the containment of the malicious activity.

4 Malware analysis and containment

5 Protocol inference

6 System overview Traffic Collection ◦ By running the sample in a sandbox or by using past analyses Endpoint Analysis ◦ Cleaning and normalization process Traffic Modeling ◦ Model generation (two ways: incremental learning or offline) Traffic Containment ◦ Two modes (Full or partial containment)

7 Traffic Collection running a network sniffer while the sample is running in the sandbox. several online systems allow users to download in our experiments we limited the malware analysis and the network collection time to five minutes per sample.

8 Endpoint Analysis cleaning and normalizing the collected traffic to remove spurious traces and improve the effectiveness of the protocol learning phase the cleaning phase mainly consists in grouping together traces that exhibit a comparable network behavior

9 Traffic Modeling

10 Containment Phase

11

12 EVALUATION All the experiments were performed on an ◦ Ubuntu 10.10 machine running ScriptGen, Mozzie, and iptables v1.4.4. ◦ To perform the live experiments, we ran all samples in a Cuckoo Sandbox [6] running a Windows XP SP3 virtual machine.

13 Results of the Offline learning Experiments Fast flus

14 Results of the Incremental learning Experiments

15 Tested samples: ◦ 2 IRC botnets, 1 HTTP botnet, 4 droppers, 1 ransomware, 1 backdoor and 1 keylogger Required network traces ranging from 4 to 25 (AVG 14) DNS lower bound (6 traces)

16 CONCLUSIONS The benefits of the large-scale application of similar techniques are significant ◦ old malware samples ◦ in-depth analyses of samples

Download ppt "Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications."

Similar presentations

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Self-Correlating Predictive Information Tracking for Large-Scale Production Systems Zhao, Tan, Gong, Gu, Wambolt Presented by: Andrew Hahn.

Self-Correlating Predictive Information Tracking for Large-Scale Production Systems Zhao, Tan, Gong, Gu, Wambolt Presented by: Andrew Hahn.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Load Analysis and Prediction for Responsive Interactive Applications Peter A. Dinda David R. O’Hallaron Carnegie Mellon University.

Load Analysis and Prediction for Responsive Interactive Applications Peter A. Dinda David R. O’Hallaron Carnegie Mellon University.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Internet Safety for Students Malicious Programs By: Mr. Bradshaw Scott City R-1 Schools.

Internet Safety for Students Malicious Programs By: Mr. Bradshaw Scott City R-1 Schools.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google