Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces
نویسندگان
چکیده
We present a novel network-level behavioral malware clustering system. We focus on analyzing the structural similarities among malicious HTTP traffic traces generated by executing HTTP-based malware. Our work is motivated by the need to provide quality input to algorithms that automatically generate network signatures. Accordingly, we define similarity metrics among HTTP traces and develop our system so that the resulting clusters can yield high-quality malware signatures. We implemented a proof-of-concept version of our network-level malware clustering system and performed experiments with more than 25,000 distinct malware samples. Results from our evaluation, which includes real-world deployment, confirm the effectiveness of the proposed clustering system and show that our approach can aid the process of automatically extracting network signatures for detecting HTTP traffic generated by malware-compromised machines.
منابع مشابه
DyVSoR: dynamic malware detection based on extracting patterns from value sets of registers
To control the exponential growth of malware files, security analysts pursue dynamic approaches that automatically identify and analyze malicious software samples. Obfuscation and polymorphism employed by malwares make it difficult for signature-based systems to detect sophisticated malware files. The dynamic analysis or run-time behavior provides a better technique to identify the threat. In t...
متن کاملScalable fine-grained behavioral clustering of HTTP-based malware
A large number of today’s botnets leverage the HTTP protocol to communicate with their botmasters or perpetrate malicious activities. In this paper, we present a new scalable system for network-level behavioral clustering of HTTP-based malware that aims to efficiently group newly collected malware samples into malware family clusters. The end goal is to obtain malware clusters that can aid the ...
متن کاملFIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors
The ever-increasing number of malware families and polymorphic variants creates a pressing need for automatic tools to cluster the collected malware into families and generate behavioral signatures for their detection. Among these, network traffic is a powerful behavioral signature and network signatures are widely used by network administrators. In this paper we present FIRMA, a tool that give...
متن کاملPavlos Lamprakis Human or malware ? Detection of malicious Web requests
Nowadays covert command and control (C&C) communication channels are built using the HTTP/HTTPS protocol, mainly because it is rarely blocked as well as malicious traffic can hide inside huge amounts of daily benign browsing traffic. This thesis addresses the problem of identifying malicious Web traffic and more specifically, post-infection traffic (C&C communication). We have built a system to...
متن کاملInteractive, Visual-Aided Tools to Analyze Malware Behavior
Malicious software attacks can disrupt information systems, violating security principles of availability, confidentiality and integrity. Attackers use malware to gain control, steal data, keep access and cover traces left on the compromised systems. The dynamic analysis of malware is useful to obtain an execution trace that can be used to assess the extent of an attack, to do incident response...
متن کامل