Information Technology Reference
In-Depth Information
of malware in details and accurately, capture the packets the under analysis
malware sample launched as soon as possible, and extract network behaviors of
malware as completely as possible. Firstly, we present a network behavior specifica-
tion to describe the protocol information. And then we propose a malware analysis
approach on the support of network behavior mining, and implement a prototype to
evaluate it.
This paper makes the following contributions:
•
A network behavior specification is proposed for the description of
large part of aspects in network activities.
•
A network behavior mining approach based on binary analysis is pro-
posed, and its prototype system is implemented for evaluation.
The remainder of this paper is structured as follows. Section 2 gives the detailed
description of network behavior specification. Section 3 describes the NBSBA ap-
proach detailed. Section 4 is an experiment. Finally, section 5 concludes the paper.
2
The Network Behavior Specification
This section describes the network behavior specification NBS. Our goal of proposing
the NBS is to cover the information related to network behavior, such as the type of
protocol, the functionality of the packets, the time elapse from the last packet, and the
time period, as many as possible. Our NBS is different from protocol model based on
state machine theory and can be used for the malware research area in view of network
traffic.
A network behavior specification is a 3-tuple graph
VEP
. The
V
is vertex
set to denote the packet sent out from the executable under analysis. The
E
is
edge set to denote the packet received from network by it. The
P
is the set
of all packets related with the communication. A
<
,,
>
pP
is a 6-tuple
dir pinfo,dinfo func time raw
. The
dir
denotes the direction of the packet, and
it has two value {IN,OUT} , which means that this packet is received from network or
sent to network respectively. The
pinfo
denotes the protocol information, is a
,
<
,
,
,
,
>
sip dip sport dport proto
structure, which is source IP address, destination IP
address, source port, destination port and protocol, respectively. The
dinfo
denotes
the data information, the value of which is determined by the protocol type. For a DNS
query packet, the
dinfo
will include the domain name be queried, and its reputation is
likely to be gained from public reputation system of the internet domain name. For a
HTTP packet, the
dinfo
will include the URL of a GET type http request packet, and
all packets in this TCP session will be recorded. The
func
denotes the functionality
of this packet, such as DNS request, network scanning, spaming emails, propagating
and attacking, etc. The
time
denotes the time elaspse from the last packet received
from or sent to. The
raw
denotes the raw data of this packet.
A sample of the NBS is as shown in
Fig. 1
. The malware instance producing the
NBS holds a MD5 value of 37b34239f524426c0c45c6292101e425.
<
,
,
,
>
