Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Using Failure Information Analysis to Detect Enterprise Zombies

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2009)

Abstract

We propose failure information analysis as a novel strategy for uncovering malware activity and other anomalies in enterprise network traffic. A focus of our study is detecting self-propagating malware such as worms and botnets. We begin by conducting an empirical study of transport- and application-layer failure activity using a collection of long-lived malware traces. We dissect the failure activity observed in this traffic in several dimensions, finding that their failure patterns differ significantly from those of real-world applications. Based on these observations, we describe the design of a prototype system called Netfuse to automatically detect and isolate malware-like failure patterns. The system uses an SVM-based classification engine to identify suspicious systems and clustering to aggregate failure activity of related enterprise hosts. Our evaluation using several malware traces demonstrates that the Netfuse system provides an effective means to discover suspicious application failures and infected enterprise hosts. We believe it would be a useful complement to existing defenses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Data clustering, http://www.let.rug.nl/~kleiweg/clustering/

  2. Entropy, http://en.wikipedia.org/wiki/Information_entropy

  3. Gnu wget, http://www.gnu.org/software/wget/

  4. Kademlia, http://en.wikipedia.org/wiki/Kademlia

  5. L7-filter: Application Layer Packet Classifier for Linux, http://l7-filter.sourceforge.net/

  6. Offensive Computing, Community Malicious code research and analysis, http://www.offensivecomputing.net/

  7. Simple Exponential Smoothing, http://en.wikipedia.org/wiki/Exponential_smoothing

  8. Wireshark: The World’s Most Popular Network Protocol Analyzer, http://www.wireshark.org/

  9. WEKA-Machine Learning Software in Java (2008), http://weka.wiki.sourceforge.net/Primer-?token=2b7a093d07966047b281eeec0da1b9fd

  10. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Bayer, U., Comparetti, P.M., Hlauscheck, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium, NDSS (2009)

    Google Scholar 

  12. Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Network and Distributed System Security Symposium, NDSS (2006)

    Google Scholar 

  13. Moore, D., Shannon, C., Brown, J.: Code-Red: A case study on the spread and victims of an Internet worm. In: Proceedings of the Internet Measurement Workshop (2002)

    Google Scholar 

  14. Debar, H.: An Introduction to Intrusion Detection Systems. In: Proceedings of Connect (2000)

    Google Scholar 

  15. Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of ACM SIGCOMM (2003)

    Google Scholar 

  16. F-Secure. Kapersky Security Bulletin 2008: Malware Evolution January - June 2008 (2008), http://www.viruslist.com/analysis?pubid=204792034

  17. F-Secure. Calculating the Size of the Downadup Outbreak (2009), http://www.f-secure.com/weblog/archives/00001584.html

  18. Fitzgerald, P.: Downadup: Geolocation, Fingerprinting and Piracy (2009), https://forums.symantec.com/t5/Malicious-Code/Downadup-Geo-location-Fingerprinting-and-Piracy/ba-p/380993

  19. Gianvecchio, S., Xie, M., Wu, Z., Wang, H.: Measurement and classification of humans and bots in internet. In: USENIX Security (2008)

    Google Scholar 

  20. Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Hot Topics in Understanding Botnets (HotBots) (2007)

    Google Scholar 

  21. Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.: Peer-to-peer botnets: Overview and case study. In: Hot Topics in Understanding Botnets (HotBots) (2007)

    Google Scholar 

  22. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)

    Google Scholar 

  23. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium (2007)

    Google Scholar 

  24. Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)

    Google Scholar 

  25. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)

    Google Scholar 

  26. SRI International. Malware Threat Center (2008), http://mtc.sri.org

  27. Javitz, H., Valdes, A.: The SRI IDES statistical anomaly detector. In: Proceedings of IEEE Symposium on Research in Security and Privacy (1991)

    Google Scholar 

  28. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  29. Kandula, S., Chandra, R., Katabi, D.: What’s going on? Learning communication rules in edge networks. In: Sigcomm (2008)

    Google Scholar 

  30. Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: Proc. IEEE LCN Workshop on Network Security, WoNS 2006 (2006)

    Google Scholar 

  31. Trend Micro. Trend Micro Threat Roundup and Forecast - 1H 2008 (2008), http://us.trendmicro.com/us/threats/enterprise/security-library/threat-reports/index.html

  32. Microsoft. Microsoft Security Bulletin MS08-067 – Critical (2008), http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

  33. Moore, D., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. In: Proceedings of the 10th Usenix Security Symposium (2001)

    Google Scholar 

  34. Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., Tierney, B.: A first look at modern enterprise traffic. In: IMC (2005)

    Google Scholar 

  35. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference (2004)

    Google Scholar 

  36. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX (January 1998)

    Google Scholar 

  37. Rousseeuw, P.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20 (1987)

    Google Scholar 

  38. Plonka, D., Barford, P.: Context-aware clustering of dns query traffic. In: Proceedings of ACM Internet Measurement Conference (2008)

    Google Scholar 

  39. Plonka, D., Barford, P.: Context-aware Clustering of DNS Query Traffic. In: Proceedings of the 8th ACM SIGCOMM Internet Measurement Conference (2008)

    Google Scholar 

  40. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Internet Measurement Conference (2006)

    Google Scholar 

  41. Roesch, M.: The SNORT Network Intrusion Detection System (2002), http://www.snort.org

  42. Vogt, R., Aycock, J., Jacobson Jr., M.J.: Army of botnets. In: Network and Distributed System Security Symposium, NDSS (2008)

    Google Scholar 

  43. Yegneswaran, V., Porras, P., Saidi, H., Sharif, M., Narayanan, A.: SRI’s Multiperspective Malware Infection Analysis Page (2009), http://www.cyber-ta.org/releases/malware-analysis/public/

  44. Zdrnja, B., Brownlee, N., Wessels, D.: Passive Monitoring of DNS Anomalies (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Northwestern University, USA

    Zhaosheng Zhu & Yan Chen

  2. Computer Science Laboratory, SRI International, USA

    Vinod Yegneswaran

Authors
  1. Zhaosheng Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vinod Yegneswaran
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yan Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Electrical Engineering and Computer Science, Robert R. McCormick School of Engineering and Application Science, Northwestern University, 2145 Sheridian Road, 60208-3118, Evanston, IL, USA

    Yan Chen

  2. Athens Information Technology, Markopoulo Ave., GR-19002, Peania, Greece

    Tassos D. Dimitriou

  3. Institute for Infocomm Research, 1 Fusionopolis Way, 21-01 Connexis, South Tower, 138632, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Zhu, Z., Yegneswaran, V., Chen, Y. (2009). Using Failure Information Analysis to Detect Enterprise Zombies. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 19. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05284-2_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05284-2_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05283-5

  • Online ISBN: 978-3-642-05284-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation