Ecole d'ingénieur et centre de recherche en Sciences du numérique

Towards network containment in malware analysis systems

Graziano, Mariano; Leita, Corrado; Balzarotti, Davide

ACSAC 2012, 28th Annual Computer Security Applications Conference, December 3-7, 2012, Orlando, Florida, USA

This paper focuses on the containment and control of the network interaction generated by malware samples in dynamic analysis environments. A currently unsolved problem consists in the existing dependency between the execution of a malware sample and a number of external hosts (e.g. C&C servers). This dependency affects the repeatability of the analysis, since the state of these external hosts influences the malware execution but it is outside the control of the sandbox. This problem is also important from a containment point of view, because the network traffic generated by a malware sample is potentially of malicious nature and, therefore, it should not be allowed to reach external targets. The approach proposed in this paper addresses the repeatability and the containment of malware execution by exploring the use of protocol learning techniques for the emulation of the external network environment required by malware samples. We show that protocol learning techniques, if properly used and configured, can be successfully used to handle the network interaction required by malware. We present our solution, Mozzie, and show its ability to autonomously learn the network interaction associated to recent malware samples without requiring a-priori knowledge of the protocol characteristics. Therefore, our system can be used for the contained and repeatable analysis of unknown samples that rely on custom protocols for their communication with external hosts.

Document Doi Bibtex

Titre:Towards network containment in malware analysis systems
Mots Clés:Malware containment, protocol learning, network traffic replay
Département:Sécurité numérique
Eurecom ref:3887
Copyright: © ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACSAC 2012, 28th Annual Computer Security Applications Conference, December 3-7, 2012, Orlando, Florida, USA
Bibtex: @inproceedings{EURECOM+3887, doi = { }, year = {2012}, title = {{T}owards network containment in malware analysis systems}, author = {{G}raziano, {M}ariano and {L}eita, {C}orrado and {B}alzarotti, {D}avide}, booktitle = {{ACSAC} 2012, 28th {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference, {D}ecember 3-7, 2012, {O}rlando, {F}lorida, {USA} }, address = {{O}rlando, {\'{E}}{TATS}-{UNIS}}, month = {12}, url = {} }
Voir aussi: