Towards Network Containment in Malware Analysis Systems

Mariano Graziano - PhD Student
Digital Security

Date: -
Location: Eurecom

This talk focuses on the containment and control of the network interaction generated by malware samples in dynamic analysis environments such as sandboxes. A currently unsolved problem consists in the existing dependency between the execution of a malware sample and the external network hosts (e.g. C&C servers). This dependency affects the repeatability of the analysis, since the state of these external hosts is out of the control of the sandbox and affects the malware execution. The dependency is also associated to containment concerns, since the network interaction generated by a malware sample is potentially of malicious nature and should not be allowed to reach its targets. The approach proposed addressed both the above concerns by exploring the usefulness of protocol learning techniques for the emulation of the external network environment a malware depends on upon execution. We show that protocol learning techniques, if properly used and configured, can be successfully used to handle the network interaction with malware. We present our solution, Mozzie, and show its ability to autonomously learn the network interaction associated to recent malware samples without requiring a-priori knowledge of the protocol characteristics. The system can be therefore used for the contained and repeatable analysis of unknown samples possibly relying on custom protocols for their communication with external hosts.