towards network containment in malware analysis systems authors: mariano graziano, corrado leita,...
TRANSCRIPT
Towards Network Containment in Malware Analysis Systems
Authors: Mariano Graziano, Corrado Leita, Davide BalzarottiSource: Annual Computer Security Applications Conference (2012)Reporter: MinHao Wu
OutlineIntroductionMalware analysis and
containmentProtocol inferenceSystem overviewEvaluationConclusion
IntroductionDynamic analysis is a useful instrument for the
characterization of the behavior of malware.The most popular approach to perform
dynamic analysis consists in the deployment of sandboxes
The result of the execution of a malware sample in a sandbox is highly dependent on the sample interaction with other Internet hosts.
The network traffic generated by a malware sample also raises obvious concerns with respect to the containment of the malicious activity.
System overviewTraffic Collection
◦By running the sample in a sandbox or by using past analyses
Endpoint Analysis◦Cleaning and normalization process
Traffic Modeling◦Model generation (two ways:
incremental learning or offline)Traffic Containment
◦Two modes (Full or partial containment)
Traffic Collectionrunning a network sniffer while
the sample is running in the sandbox.
several online systems allow users to download
in our experiments we limited the malware analysis and the network collection time to five minutes per sample.
Endpoint Analysiscleaning and normalizing the
collected traffic to remove spurious traces and improve the effectiveness of the protocol learning phase
the cleaning phase mainly consists in grouping together traces that exhibit a comparable network behavior
EVALUATIONAll the experiments were
performed on an ◦Ubuntu 10.10 machine running
ScriptGen, Mozzie, and iptables v1.4.4.
◦To perform the live experiments, we ran all samples in a Cuckoo Sandbox [6] running a Windows XP SP3 virtual machine.
Results of the Offline learning Experiments
Fast flus
Tested samples: ◦2 IRC botnets, 1 HTTP botnet, 4
droppers, 1 ransomware, 1 backdoor and 1 keylogger
Required network traces ranging from 4 to 25 (AVG 14)
DNS lower bound (6 traces)