Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers

Research Article

Using Failure Information Analysis to Detect Enterprise Zombies

Download128 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-05284-2_11,
        author={Zhaosheng Zhu and Vinod Yegneswaran and Yan Chen},
        title={Using Failure Information Analysis to Detect Enterprise Zombies},
        proceedings={Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2012},
        month={5},
        keywords={},
        doi={10.1007/978-3-642-05284-2_11}
    }
    
  • Zhaosheng Zhu
    Vinod Yegneswaran
    Yan Chen
    Year: 2012
    Using Failure Information Analysis to Detect Enterprise Zombies
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-05284-2_11
Zhaosheng Zhu1,*, Vinod Yegneswaran2,*, Yan Chen1,*
  • 1: Northwestern University
  • 2: SRI International
*Contact email: z-zhu@northwestern.edu, vinod@csl.sri.com, ychen@northwestern.edu

Abstract

We propose failure information analysis as a novel strategy for uncovering malware activity and other anomalies in enterprise network traffic. A focus of our study is detecting self-propagating malware such as worms and botnets. We begin by conducting an empirical study of transport- and application-layer failure activity using a collection of long-lived malware traces. We dissect the failure activity observed in this traffic in several dimensions, finding that their failure patterns differ significantly from those of real-world applications. Based on these observations, we describe the design of a prototype system called Netfuse to automatically detect and isolate malware-like failure patterns. The system uses an SVM-based classification engine to identify suspicious systems and clustering to aggregate failure activity of related enterprise hosts. Our evaluation using several malware traces demonstrates that the Netfuse system provides an effective means to discover suspicious application failures and infected enterprise hosts. We believe it would be a useful complement to existing defenses.