Detecting Stealthy Malware Using Behavioral Features in Network Traffice
نویسنده
چکیده
It is clearly in the interest of network administrators to detect hosts within their networks that are infiltrated by stealthy malware. Infected hosts (also called bots) can exfiltrate sensitive data to adversaries, or lie in wait for commands from a bot-master to forward spam, launch denial-of-service attacks, or host phishing sites, for example. Unfortunately, it is difficult to detect such hosts, since their activities are subtle and do not disrupt the network. In this thesis, we hypothesize that malware-infected hosts share characteristics in their network behaviors, which are distinct from those of benign hosts. Our approach works by aggregating “similar” network traffic involving multiple hosts. We identify key characteristics that capture basic properties of botnet operation, and that can be observed even within coarse network traffic summaries, i.e., flow records. Using network traffic collected at the edge routers of the Carnegie Mellon University campus network, and network traffic generated from real bot instances in virtual machines and honeynets running in the wild, we demonstrate that this approach can reliably detect infected hosts with very few false positives. In addition to identifying relevant behavioral features within hosts’ network activities, another contribution of this thesis is in developing efficient algorithms for analyzing network traffic. Our algorithms utilize methods from diverse areas, including statistics, data mining, machine learning, and metric embeddings. We also introduce a technique to passively infer the application implementation on a host given only anonymized traffic summaries. This technique enables us to detect malware that is browser-dependent, and can also be applied to improve the accuracy of traffic deanonymization, i.e., identifying the web sites in anonymized flow records. To complement empirical analyses, we apply analytical models from network theory to study peer-topeer botnets. We focus on a structural property of networks, which characterizes the tendency for edges to exist between “similar” nodes, and examine its effect on network resiliency and the network’s ability to recover after a fraction of the nodes are removed. We show that previous works may have over-estimated the power of certain botnet takedown strategies, and identify an alternative strategy that is more effective than those explored previously.
منابع مشابه
Detecting Stealthy Malware Using Behavioral Features in Network Traffic
It is clearly in the interest of network administrators to detect hosts within their networks that are infiltrated by stealthy malware. Infected hosts (also called bots) can exfiltrate sensitive data to adversaries, or lie in wait for commands from a bot-master to forward spam, launch denial-of-service attacks, or host phishing sites, for example. Unfortunately, it is difficult to detect such h...
متن کاملCausality reasoning about network events for detecting stealthy malware activities
Malicious software activities have become more and more clandestine, making them challenging to detect. Existing security solutions rely heavily on the recognition of known code or behavior signatures, which are incapable of detecting new malware patterns. We propose to discover the triggering relations on network requests and leverage the structural information to identify stealthy malware act...
متن کاملPoster: CompareView - A Provenance Verification Framework for Detecting Rootkit-Based Malware
Using rootkit mechanisms to hide malware presence is pervasive in today’s computer attacks. We propose the CompareView framework, a host-based solution to detect stealthy outbound traffic generated by rootkit-based malware. Using a lightweight cryptographic protocol, our CompareView framework compares the views of outbound network packets at different layers of the host network stack and verify...
متن کاملDetecting peripheral-based attacks on the host memory
Adversaries can deploy rootkit techniques on the target platform to persistently attack computer systems in a stealthy manner. Industrial and political espionage, surveillance of users as well as conducting cybercrime require stealthy attacks on computer systems. Utilizing a rootkit technique means, that a part of the implemented attack code is responsible for concealing the attack. Attack code...
متن کاملWhole-system Fine-grained Taint Analysis for Automatic Malware Detection and Analysis
As malware is becoming increasingly sophisticated and stealthy, effective techniques for malware detection and analysis are imperative. Previous detection mechanisms are insufficient. Signature-based detection cannot detect new malware, and watch-point based behavioral detection can be evaded by stealthier design. Most previous analysis mechanisms are too coarse-grained to capture malware behav...
متن کامل