towards network containment in malware analysis systems
DESCRIPTION
Towards Network Containment in Malware Analysis Systems. Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications Conference (2012) Reporter: MinHao Wu. Outline. Introduction Malware analysis and containment Protocol inference - PowerPoint PPT PresentationTRANSCRIPT
Towards Network Containment in Malware Analysis Systems
Authors: Mariano Graziano, Corrado Leita, Davide BalzarottiSource: Annual Computer Security Applications Conference (2012)Reporter: MinHao Wu
OutlineIntroductionMalware analysis and
containmentProtocol inferenceSystem overviewEvaluationConclusion
IntroductionDynamic analysis is a useful instrument for the
characterization of the behavior of malware.The most popular approach to perform dynamic
analysis consists in the deployment of sandboxes
The result of the execution of a malware sample in a sandbox is highly dependent on the sample interaction with other Internet hosts.
The network traffic generated by a malware sample also raises obvious concerns with respect to the containment of the malicious activity.
Malware analysis and containment
Protocol inference
System overviewTraffic Collection
◦By running the sample in a sandbox or by using past analyses
Endpoint Analysis◦Cleaning and normalization process
Traffic Modeling◦Model generation (two ways:
incremental learning or offline)Traffic Containment
◦Two modes (Full or partial containment)
Traffic Collectionrunning a network sniffer while
the sample is running in the sandbox.
several online systems allow users to download
in our experiments we limited the malware analysis and the network collection time to five minutes per sample.
Endpoint Analysiscleaning and normalizing the
collected traffic to remove spurious traces and improve the effectiveness of the protocol learning phase
the cleaning phase mainly consists in grouping together traces that exhibit a comparable network behavior
Traffic Modeling
Containment Phase
EVALUATIONAll the experiments were
performed on an ◦Ubuntu 10.10 machine running
ScriptGen, Mozzie, and iptables v1.4.4.
◦To perform the live experiments, we ran all samples in a Cuckoo Sandbox [6] running a Windows XP SP3 virtual machine.
Results of the Offline learning Experiments
Fast flus
Results of the Incremental learning Experiments
Tested samples: ◦2 IRC botnets, 1 HTTP botnet, 4
droppers, 1 ransomware, 1 backdoor and 1 keylogger
Required network traces ranging from 4 to 25 (AVG 14)
DNS lower bound (6 traces)
CONCLUSIONSThe benefits of the large-scale
application of similar techniques are significant◦old malware samples ◦in-depth analyses of samples