1 / 16

Towards Network Containment in Malware Analysis Systems

Towards Network Containment in Malware Analysis Systems. Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications Conference (2012) Reporter: MinHao Wu. Outline. Introduction Malware analysis and containment Protocol inference

micheal
Download Presentation

Towards Network Containment in Malware Analysis Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications Conference (2012) Reporter: MinHao Wu

  2. Outline • Introduction • Malware analysis and containment • Protocol inference • System overview • Evaluation • Conclusion

  3. Introduction • Dynamic analysis is a useful instrument for the characterization of the behavior of malware. • The mostpopular approach to perform dynamic analysis consists inthe deployment of sandboxes • The result of the execution of a malware sample in a sandbox is highly dependent on the sample interaction with other Internet hosts. • The network traffic generated by a malware sample also raises obvious concerns with respect to the containment of the malicious activity.

  4. Malware analysis and containment

  5. Protocol inference

  6. System overview • Traffic Collection • By running the sample in a sandbox or by using past analyses • Endpoint Analysis • Cleaning and normalization process • Traffic Modeling • Model generation (two ways: incremental learning or offline) • Traffic Containment • Two modes (Full or partial containment)

  7. Traffic Collection • running a network sniffer while the sample is running in the sandbox. • several online systems allow users to download • in our experiments we limited the malware analysis and the network collection time to five minutes per sample.

  8. Endpoint Analysis • cleaning and normalizing the collected traffic to remove spurious traces and improve the effectiveness of the protocol learning phase • the cleaning phase mainly consists in grouping together traces that exhibit a comparable network behavior

  9. Traffic Modeling

  10. Containment Phase

  11. EVALUATION • All the experiments were performed on an • Ubuntu 10.10 machine running ScriptGen, Mozzie, and iptables v1.4.4. • To perform the live experiments, we ran all samples in a Cuckoo Sandbox [6] running a Windows XP SP3 virtual machine.

  12. Results of the Offline learning Experiments • Fast flus

  13. Results of the Incremental learning Experiments

  14. Tested samples: • 2 IRC botnets, 1 HTTP botnet, 4 droppers, 1 ransomware, 1 backdoor and 1 keylogger • Required network traces ranging from 4 to 25 (AVG 14) • DNS lower bound (6 traces)

  15. CONCLUSIONS • The benefits of the large-scale application of similar techniquesare significant • old malware samples • in-depth analyses of samples

More Related