research-article

Towards network containment in malware analysis systems

Authors:

Mariano Graziano,

Davide BalzarottiAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Pages 339 - 348

https://doi.org/10.1145/2420950.2421000

Published: 03 December 2012 Publication History

Abstract

This paper focuses on the containment and control of the network interaction generated by malware samples in dynamic analysis environments. A currently unsolved problem consists in the existing dependency between the execution of a malware sample and a number of external hosts (e.g. C&C servers). This dependency affects the repeatability of the analysis, since the state of these external hosts influences the malware execution but it is outside the control of the sandbox. This problem is also important from a containment point of view, because the network traffic generated by a malware sample is potentially of malicious nature and, therefore, it should not be allowed to reach external targets.

The approach proposed in this paper addresses the repeatability and the containment of malware execution by exploring the use of protocol learning techniques for the emulation of the external network environment required by malware samples. We show that protocol learning techniques, if properly used and configured, can be successfully used to handle the network interaction required by malware. We present our solution, Mozzie, and show its ability to autonomously learn the network interaction associated to recent malware samples without requiring a-priori knowledge of the protocol characteristics. Therefore, our system can be used for the contained and repeatable analysis of unknown samples that rely on custom protocols for their communication with external hosts.

References

[1]

Scapy. http://www.secdev.org/projects/scapy/, 2003.

[2]

nfqueue-bindings. ://www.wzdftpd.net/redmine/projects/nfqueue-bindings/wiki/, 2008.

[3]

Anubis. http://anubis.iseclab.org, 2009.

[4]

Cwsandbox. http://www.mwanalysis.org, 2009.

[5]

Netzob. http://www.netzob.org, 2009.

[6]

Cuckoo Sandbox. http://www.cuckoosandbox.org, 2010.

[7]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient Detection of Split Personalities in Malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2010.

[8]

U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Tool for Analyzing Malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, April 2006.

[9]

U. Bayer, P. Milani Comparetti, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In 16th Symp. on Network and Distributed System Security (NDSS), 2009.

[10]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In 14th ACM conference on Computer and Communications Security, pages 317--329. ACM New York, NY, USA, 2007.

Digital Library

[11]

W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic protocol reverse engineering from network traces. In 16th USENIX Security Symposium, 2007.

Digital Library

[12]

W. Cui, V. Paxson, and N. Weaver. GQ: Realizing a system to catch worms in a quarter million places. Technical report, ICSI Tech Report TR-06-004, September 2006.

[13]

W. Cui, V. Paxson, N. Weaver, and R. H. Katz. Protocol-independent adaptive replay of application dialog. In The 13th Annual Network and Distributed System Security Symposium (NDSS), February 2006.

[14]

D. Inoue, K. Yoshioka, M. Eto, Y. Hoshizawa, and K. Nakao. Malware behavior analysis in isolated miniature network for revealing malware's network activity. In Proceedings of IEEE International Conference on Communications, ICC 2008, Beijing, China, 19--23 May 2008, pages 1715--1721. IEEE, 2008.

[15]

C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson. Gq: Practical containment for measuring modern malware systems. In Proceedings of the ACM Internet Measurement Conference (IMC), Berlin, Germany, November 2011.

Digital Library

[16]

C. Leita. SGNET: automated protocol learning for the observation of malicious threats. PhD thesis, University of Nice-Sophia Antipolis, December 2008.

[17]

C. Leita, U. Bayer, and E. Kirda. Exploiting diverse observation perspectives to get insights on the malware landscape. In DSN 2010, 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, June 2010.

[18]

C. Leita and M. Dacier. SGNET: a worldwide deployable framework to support the analysis of malware threat models. In 7th European Dependable Computing Conference (EDCC 2008), May 2008.

Digital Library

[19]

C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In 9th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2006.

Digital Library

[20]

C. Leita, K. Mermoud, and M. Dacier. Scriptgen: an automated script generation tool for honeyd. In 21st Annual Computer Security Applications Conference, December 2005.

Digital Library

[21]

Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. In 15th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2008.

[22]

Z. Lin and X. Zhang. Deriving input syntactic structure from execution. In 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Atlanta, GA, USA, November 2008.

Digital Library

[23]

S. Needleman and C. Wunsch. A general method applicable to the search for similarities in the amino acid sequence of two proteins. J Mol Biol. 48(3): 443--53, 1970.

[24]

C. Rossow, C. J. Dietrich, H. Bos, L. Cavallaro, M. van Steen, F. C. Freiling, and N. Pohlmann. Sandnet: Network Traffic Analysis of Malicious Software. In 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), April 2011.

Digital Library

[25]

Symantec. The Stuxnet worm. http://go.symantec.com/stuxnet.

[26]

Symantec. W32.Duqu, the precursor to the next Stuxnet. http://go.symantec.com/duqu.

[27]

Symantec. W32.Koobface. http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99.

[28]

M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. ACM SIGOPS Operating Systems Review, 39(5): 148--162, 2005.

Digital Library

[29]

G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. Automatic network protocol analysis. In 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.

[30]

K. Yoshioka, T. Kasama, and T. Matsumoto. Sandbox analysis with controlled internet connection for observing temporal changes of malware behavior. In 2009 Joint Workshop on Information Security (JWIS 2009), 2009.

Cited By

Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Viglianisi GCarminati MPolino MContinella AZanero SMcDonald JBardin SStakhanova N(2018)SysTaintProceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop10.1145/3289239.3289245(1-12)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3289239.3289245
Abraham BMandya ABapat RAlali FBrown DVeeraraghavan M(2018)A Comparison of Machine Learning Approaches to Detect Botnet Traffic2018 International Joint Conference on Neural Networks (IJCNN)10.1109/IJCNN.2018.8489096(1-8)Online publication date: Jul-2018
https://doi.org/10.1109/IJCNN.2018.8489096
Show More Cited By

Index Terms

Towards network containment in malware analysis systems

Recommendations

Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Malicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...
GQ: practical containment for measuring modern malware systems
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand ...
Propagation, detection and containment of mobile malware

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
385
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)2

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Viglianisi GCarminati MPolino MContinella AZanero SMcDonald JBardin SStakhanova N(2018)SysTaintProceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop10.1145/3289239.3289245(1-12)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3289239.3289245
Abraham BMandya ABapat RAlali FBrown DVeeraraghavan M(2018)A Comparison of Machine Learning Approaches to Detect Botnet Traffic2018 International Joint Conference on Neural Networks (IJCNN)10.1109/IJCNN.2018.8489096(1-8)Online publication date: Jul-2018
https://doi.org/10.1109/IJCNN.2018.8489096
Li QZhang YSu LWu YMa XYang Z(2018)An Improved Method to Unveil Malware’s Hidden BehaviorInformation Security and Cryptology10.1007/978-3-319-75160-3_22(362-382)Online publication date: 4-Feb-2018
https://doi.org/10.1007/978-3-319-75160-3_22
Sun HSun KWang YJing J(2015)Reliable and Trustworthy Memory Acquisition on SmartphonesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2015.246735610:12(2547-2561)Online publication date: Dec-2015
https://doi.org/10.1109/TIFS.2015.2467356
Memari NHashim SSamsudin K(2015)Container based virtual honeynet for increased network security2015 5th National Symposium on Information Technology: Towards New Smart World (NSITNSW)10.1109/NSITNSW.2015.7176410(1-6)Online publication date: Feb-2015
https://doi.org/10.1109/NSITNSW.2015.7176410
Johnson RKiourtis NStavrou ASritapan V(2015)Analysis of content copyright infringement in mobile application markets2015 APWG Symposium on Electronic Crime Research (eCrime)10.1109/ECRIME.2015.7120798(1-10)Online publication date: May-2015
https://doi.org/10.1109/ECRIME.2015.7120798
Fujino AMurakami JMori T(2015)Discovering similar malware samples using API call topics2015 12th Annual IEEE Consumer Communications and Networking Conference (CCNC)10.1109/CCNC.2015.7157960(140-147)Online publication date: Jan-2015
https://doi.org/10.1109/CCNC.2015.7157960
Xu ZZhang JGu GLin Z(2014)GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted EnvironmentResearch in Attacks, Intrusions and Defenses10.1007/978-3-319-11379-1_2(22-45)Online publication date: 2014
https://doi.org/10.1007/978-3-319-11379-1_2
Rafique MCaballero J(2013)FIRMAProceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 814510.1007/978-3-642-41284-4_8(144-163)Online publication date: 23-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-642-41284-4_8

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten