See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/307638742 Detecting the behavioral relationships of malware connections (slides) Conference Paper · August 2016 CITATIONS READS 0 149 2 authors , including: Sebastián García Czech Technical University in Prague 55 PUBLICATIONS 562 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: Stratosphere Project View project A Study of RATs View project All content following this page was uploaded by Sebastián García on 06 September 2016. The user has requested enhancement of the downloaded file.
Detecting the Behavioral Relationships of Malware Connections (positional paper) Sebastian Garcia & Michal Pechoucek sebastian.garcia@agents.fel.cvut.cz @eldracote Live: bit.ly/praise2016
The origin Privacy and surveillance. The MasterMind program. We should know how to deal with this, and use it. Behavior of malware, how to detect it.
The Problem False positives: You detect malicious when is not. Detection of what? Packets? Flows? Web logs? Unique computers? Differentiating normal from malicious We may detect malicious alone. But when it is mixed with normal, it's far more difficult.
Stratosphere IPS Project Model network behaviors as a string of letters . 1 flow 3 features 1 letter 1 connection (srcIP, dstIP, dstPort, Proto) String
The Problem of Stratosphere Usually working, but some behaviors are very similar . Normal Radio Streaming 88,h,h,h,h,h,h,H,H,h,h,h,h,H,H,h,H,H,h,H,h,H,H,H,h, Botnet C&C server 23.247.5.27 port 25000/tcp 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H https://stratosphereips.org
A better differentiation We are looking too closely. Analyze the behavior of the Host, instead of a connection.
A New type of Graph A graph to show the relationships of flow sequences . Made by Daniel Š molík , from the Stratosphere team. A graph per client (source IP). A node is the combination of dst IP, dst port, protocol . An edge is a flow sequence as seen in the network. The more times the edge is found, the thicker. The more times the node is repeated, the larger. The more times the node looped, the color changes.
Normal Graph 1 client
Normal Graph Same 1 client, not DNS servers.
Geodo Botnet complete graph
Geodo Botnet filtered graph No DNS, icmp, ipv6, arp or multicast.
Mixed Normal and Adware Before Infection. No DNS
Mixed Normal and Adware After Infection. No DNS
Mixed Normal and Adware After Infection. No DNS
Analyzing the Behavior of a Host Now Amount of times a [dst ip, dst port and protocol] is accessed (node). Amount of times a node comes after other node in sequence (edge). Amount of times a node loops with itself. Work in progress Loops Find loops in the graph structure. Complex loops, double loops (Geodo). Type of nodes. Type of nodes connecting to each node (relation). Stratosphere Behaviors
Conclusion and Thanks! The behavior of a host may be modeled looking at its actions, relationships and loops. These are the differentiable features of malware. More experiments, evaluation and comparison. Thank you for staying! And thanks Daniel Smolík for his work. Sebastian Garcia sebastian.garcia@agents.fel.cvut.cz @eldracot e View publication stats View publication stats
Recommend
More recommend
