Information Technology Reference
In-Depth Information
malware sample are accomplished with the support of network communication. For
those reason, to master network behavior of malware is very important for security
analysts to malware detection.
The network behavior of malware can be classified into four categories according to
their functionalities. The first one is scanning and propagating, it is means that an in-
fected computer scans hosts in its local area network to propagate itself by exploiting
vulnerabilities. The second one is DNS activities to locate the C&C server. The third
one is interactive activities between a malware and its C&C server to get a command
and return its results. The fourth one is the attacking activities, including DDoS, send-
ing spam emails and phishing web pages.
The communications are obfuscated usually. For example, the Command and Con-
trol communication for a malware, especially for a bot, is crucial important to maintain
the malicious network, so that it is necessary to hide the location of the C&C server.
Malware makes use of domain-flux and ip-flux usually to protect the
communication[3], which generate randomly many domains algorithmically and only
registers several ones during a time interval. Those stealth methods make a great ob-
stacle for reverse engineering of malware.
The existing researches on network behavior of malware mainly focus on the net-
work traffic. The automatically signature generation techniques[4, 5] are used to ex-
tract signatures from labeled malicious traffic with statistical and machine learning for
malware detection in IDS and IPS. The state of the art botnet detection and contain-
ment techniques[6, 7] include the botnet detection based on traffic analysis and the
malicious domain identification based on DNS traffic analysis[8, 9]. Those approaches
are efficient on detection and containment of malware based on the abstraction of a
part of intrinsic characteristics of malware network behaviors. But there are several
limitations that cannot be overcome. The first limitation is that it is a long time period
to generate a network-based signature. The traffic data used for generating signatures is
captured passively on an analysis environment in which the targeted malware instance
is running. The time period usually is several days. The second limitation is that the
capture cannot ensure if the packets are complete. A malware instance can launched
many types of packets. It is possible that only a part of packets is launched during the
period and the crucial packets with key features for detection may be not launched. The
third limitation is that the encrypted communication traffic, which is prevalently used
in modern malware, cannot be deal with for generating signatures. All of those limita-
tions affect to be incomplete signatures and make a bad malware detection result. And
also the understanding of malware is not accurate.
Even worse, the Advance Persistent Threat is prevalent and the network attack is not
a toy any more. It is very important to understand the malware in details and accurately.
A security analyst should figure out the communication patterns between malwares
except the signature of its network traffic. To mine the network behavior of malware
for understanding, detection and containment of malware is imperative.
In this paper, we present an approach to mine network behavior specifications of
malware based on binary analysis. Our goal is to understand the network behavior
