SLIDE 1 See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/307638742
Detecting the behavioral relationships of malware connections (slides)
Conference Paper · August 2016
CITATIONS READS
149
2 authors, including: Some of the authors of this publication are also working on these related projects: Stratosphere Project View project A Study of RATs View project Sebastián García Czech Technical University in Prague
55 PUBLICATIONS 562 CITATIONS
SEE PROFILE
All content following this page was uploaded by Sebastián García on 06 September 2016.
The user has requested enhancement of the downloaded file.
SLIDE 2 Detecting the Behavioral Relationships of Malware Connections
(positional paper) Sebastian Garcia & Michal Pechoucek sebastian.garcia@agents.fel.cvut.cz @eldracote
Live: bit.ly/praise2016
SLIDE 3
Privacy and surveillance. The MasterMind program. We should know how to deal with this, and use it. Behavior of malware, how to detect it.
The origin
SLIDE 4
The Problem
False positives: You detect malicious when is not. Detection of what? Packets? Flows? Web logs? Unique computers? Differentiating normal from malicious We may detect malicious alone. But when it is mixed with normal, it's far more difficult.
SLIDE 5
Stratosphere IPS Project
Model network behaviors as a string of letters. 1 flow 3 features 1 letter 1 connection (srcIP, dstIP, dstPort, Proto) String
SLIDE 6
The Problem of Stratosphere
Usually working, but some behaviors are very similar. Normal Radio Streaming 88,h,h,h,h,h,h,H,H,h,h,h,h,H,H,h,H,H,h,H,h,H,H,H,h, Botnet C&C server 23.247.5.27 port 25000/tcp 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H https://stratosphereips.org
SLIDE 7
A better differentiation
We are looking too closely. Analyze the behavior of the Host, instead of a connection.
SLIDE 8
A New type of Graph
A graph to show the relationships of flow sequences. Made by Daniel Šmolík, from the Stratosphere team. A graph per client (source IP). A node is the combination of dst IP, dst port, protocol. An edge is a flow sequence as seen in the network. The more times the edge is found, the thicker. The more times the node is repeated, the larger. The more times the node looped, the color changes.
SLIDE 9
Normal Graph
1 client
SLIDE 10
Normal Graph
Same 1 client, not DNS servers.
SLIDE 11
Geodo Botnet complete graph
SLIDE 12
Geodo Botnet filtered graph
No DNS, icmp, ipv6, arp or multicast.
SLIDE 13
Mixed Normal and Adware
Before Infection. No DNS
SLIDE 14
Mixed Normal and Adware
After Infection. No DNS
SLIDE 15
Mixed Normal and Adware
After Infection. No DNS
SLIDE 16
Analyzing the Behavior of a Host
Now Amount of times a [dst ip, dst port and protocol] is accessed (node). Amount of times a node comes after other node in sequence (edge). Amount of times a node loops with itself. Work in progress Loops Find loops in the graph structure. Complex loops, double loops (Geodo). Type of nodes. Type of nodes connecting to each node (relation). Stratosphere Behaviors
SLIDE 17
Conclusion and Thanks!
The behavior of a host may be modeled looking at its actions, relationships and loops. These are the differentiable features of malware. More experiments, evaluation and comparison. Thank you for staying! And thanks Daniel Smolík for his work. Sebastian Garcia sebastian.garcia@agents.fel.cvut.cz @eldracote
View publication stats View publication stats
