Top

Published in:

2014 | OriginalPaper | Chapter

On the Reliability of Network Measurement Techniques Used for Malware Traffic Analysis

Authors : Joseph Gardiner, Shishir Nagaraja

Published in: Security Protocols XXII

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter On Node Capturing Attacker Strategies (Transcript of Discussion)

next chapter On the Reliability of Network Measurement Techniques Used for Malware Traffic Analysis (Transcript of Discussion)

AT&T global networking facts. http://www.corp.att.com/gov/about_ags/fact_sheet

The CAIDA UCSD Anonymized Internet Traces 2012. http://www.caida.org/data/passive/passive_2012_dataset.xml. Accessed 20 March 2013

Cantieni, G.R., Iannaccone, G., Barakat, C., Diot, C., Thiran, P.: Reformulating the monitor placement problem: Optimal network-wide sampling. In: Proceedings of the 2006 ACM CoNEXT Conference, CoNEXT ’06, pp. 5:1–5:12. ACM, New York (2006)

Cisco Systems Inc., Cisco IOS Netflow. http://www.cisco.com/web/go/netflow

Cohen, E., Duffield, N.G., Kaplan, H., Lund, C., Thorup, M.: Stream sampling for variance-optimal estimation of subset sums. In: Mathieu, C. (ed.) Proceedings of ACM-SIAM Symposium on Discrete Algorithms, pp. 1255–1264. SIAM (2009)

Cranor, C., Johnson, T., Spataschek, O., Shkapenyuk, V.: Gigascope: a stream database for network applications. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, SIGMOD ’03, pp. 647–651. ACM, New York (2003)

Duffield, N., Lund, C., Thorup, M.: Learn more, sample less: control of volume and variance in network measurement. IEEE Trans. Inf. Theory 51(5), 1756–1775 (2005)MathSciNetCrossRefMATH

Estan, C., Varghese, G.: New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice. ACM Trans. Comput. Syst. 21(3), 270–313 (2003)CrossRef

Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pp. 375–388. ACM, New York (2007)

10.

Horvitz, D.G., Thompson, D.J.: A generalization of sampling without replacement from a finite universe. J. Am. Stat. Assoc. 47(260), 663–685 (1952)MathSciNetCrossRefMATH

11.

Hutchins, E.M., Clopperty, M.J., Amin, R.M.: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Technical report, Lockheed Martin Corporation, 2010. http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

12.

Krebs, B.: Security Firm Bit9 Hacked, Used to Spread Malware. Krebs on Security, 13 Feb 2013. http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

13.

Mandiant. APT1: Exposing One of Chinas Cyber Espionage Units. Technical report, 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

14.

Nagaraja, S., Anderson, R.: The snooping dragon: social-malware surveillance of the tibetan movement. Technical Report UCAM-CL-TR-746, University of Cambridge, (2009)

15.

Nakashima, E.: Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies. The Washington Post, 27 May 2013. http://articles.washingtonpost.com/2013-05-27/world/39554997_1_u-s-missile-defenses-weapons-combat-aircraft

16.

Perlroth, N.: Hackers in China Attacked The Times for Last 4 Months. The New York Times, 30 January 2013. http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html

17.

Polychronakis, M., Mavrommatis, P., Provos, N.:. Ghost turns zombie: Exploring the life cycle of web-based malware. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET’08, pp. 11:1–11:8. USENIX Association, Berkeley (2008)

18.

Provos, N., Rajab, M.A., Mavrommatis, P.: Cybercrime 2.0: When the cloud turns dark. Commun. ACM 52(4), 42–47 (2009)CrossRef

19.

Sekar, V., Reiter, M.K., Willinger, W., Zhang, H., Kompella, R.R., Andersen, D.G.: Csamp: a system for network-wide flow monitoring. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI’08, pp. 233–246. USENIX Association, Berkeley (2008)

20.

TrendLabs APT Research Team. Spear-Phishing Email: Most Favored APT Attack Bait. Technical report, Trend Micro Incorporated, 2012. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf

21.

Yu, M., Jose, L., Miao, R.: Software defined traffic measurement with opensketch. In: Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation, NSDI’13, pp. 29–42. USENIX Association, Berkeley (2013)

Title: On the Reliability of Network Measurement Techniques Used for Malware Traffic Analysis
Authors: Joseph Gardiner
Shishir Nagaraja
Publisher: Springer International Publishing
Book: Security Protocols XXII
Print ISBN: 978-3-319-12399-8

Electronic ISBN: 978-3-319-12400-1

Copyright Year: 2014
DOI: https://doi.org/10.1007/978-3-319-12400-1_31

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner