Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings

Research Article

Analyzing and Exploiting Network Behaviors of Malware

Download66 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-16161-2_2,
        author={Jose Morales and Areej Al-Bataineh and Shouhuai Xu and Ravi Sandhu},
        title={Analyzing and Exploiting Network Behaviors of Malware},
        proceedings={Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings},
        proceedings_a={SECURECOMM},
        year={2012},
        month={5},
        keywords={},
        doi={10.1007/978-3-642-16161-2_2}
    }
    
  • Jose Morales
    Areej Al-Bataineh
    Shouhuai Xu
    Ravi Sandhu
    Year: 2012
    Analyzing and Exploiting Network Behaviors of Malware
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-16161-2_2
Jose Morales1,*, Areej Al-Bataineh1,*, Shouhuai Xu,*, Ravi Sandhu1,*
  • 1: University of Texas
*Contact email: jose.morales@utsa.edu, aalbata@cs.utsa.edu, shxu@cs.utsa.edu, ravi.sandhu@utsa.edu

Abstract

In this paper we address the following questions: From a networking perspective, do malicious programs (malware, bots, viruses, etc...) behave differently from benign programs that run daily for various needs? If so, how may we exploit the differences in network behavior to detect them? To address these questions, we are systematically analyzing the behavior of a large set (at the magnitude of 2,000) of malware samples. We present our initial results after analyzing 1000 malware samples. The results show that malicious and benign programs behave quite differently from a network perspective. We are still in the process of attempting to interpret the differences, which nevertheless have been utilized to detect 31 malware samples which were not detected by any antivirus software on Virustotal.com as of 01 April 2010, giving evidence that the differences between malicious and benign network behavior has a possible use in helping stop zero-day attacks on a host machine.