Ecole d'ingénieur et centre de recherche en Sciences du numérique

A Lustrum of malware network communication: Evolution and insights

Lever, Chaz; Kotzias, Platon; Balzarotti, Davide; Caballero, Juan; Antonakakis, Manos

S&P 2017, 37th IEEE Symposium on Security and Privacy, May 23-25, 2017, San Jose, USA

Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years. Using several malware and network datasets, our large scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection--several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.

Document Doi Bibtex

Titre:A Lustrum of malware network communication: Evolution and insights
Ville:San Jose
Département:Sécurité numérique
Eurecom ref:5177
Copyright: © 2017 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @inproceedings{EURECOM+5177, doi = {}, year = {2017}, title = {{A} {L}ustrum of malware network communication: {E}volution and insights}, author = {{L}ever, {C}haz and {K}otzias, {P}laton and {B}alzarotti, {D}avide and {C}aballero, {J}uan and {A}ntonakakis, {M}anos}, booktitle = {{S}\&{P} 2017, 37th {IEEE} {S}ymposium on {S}ecurity and {P}rivacy, {M}ay 23-25, 2017, {S}an {J}ose, {USA}}, address = {{S}an {J}ose, {\'{E}}{TATS}-{UNIS}}, month = {05}, url = {} }
Voir aussi: