On the reliability of network measurement techniques used for malware traffic analysis

Joseph Gardiner; Shishir Nagaraja

doi:10.1007/978-3-319-12400-1_31

On the reliability of network measurement techniques used for malware traffic analysis

Joseph Gardiner, Shishir Nagaraja

Computer And Information Sciences

Research output: Chapter in Book/Report/Conference proceeding › Chapter

5 Citations (Scopus)

Abstract

Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at securityconscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.

Original language	English
Title of host publication	Security Protocols XXII - 22nd International Workshop, Revised Selected Papers
Editors	Frank Stajano, Vashek Matyáš, Petr Švenda, Jonathan Anderson, Bruce Christianson, James Malcolm
Place of Publication	Cham
Publisher	Springer-Verlag
Pages	321-333
Number of pages	13
Volume	8809
ISBN (Print)	9783319123998
DOIs	https://doi.org/10.1007/978-3-319-12400-1_31
Publication status	Published - 1 Jan 2014

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	8809
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Keywords

uniform sampling
proportional fairness
flow size
flooding attack
traffic trace
computer crime
reliability analysis
network security
packet sampling
traffic analysis
malware traffic analysis

Access to Document

10.1007/978-3-319-12400-1_31

Cite this

Gardiner, J., & Nagaraja, S. (2014). On the reliability of network measurement techniques used for malware traffic analysis. In F. Stajano, V. Matyáš, P. Švenda, J. Anderson, B. Christianson, & J. Malcolm (Eds.), Security Protocols XXII - 22nd International Workshop, Revised Selected Papers (Vol. 8809, pp. 321-333). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8809). Springer-Verlag. https://doi.org/10.1007/978-3-319-12400-1_31

Gardiner, Joseph ; Nagaraja, Shishir. / On the reliability of network measurement techniques used for malware traffic analysis. Security Protocols XXII - 22nd International Workshop, Revised Selected Papers. editor / Frank Stajano ; Vashek Matyáš ; Petr Švenda ; Jonathan Anderson ; Bruce Christianson ; James Malcolm. Vol. 8809 Cham : Springer-Verlag, 2014. pp. 321-333 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inbook{f8d89efa888f486986aecbf229bae08a,

title = "On the reliability of network measurement techniques used for malware traffic analysis",

abstract = "Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at securityconscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.",

keywords = "uniform sampling, proportional fairness, flow size, flooding attack, traffic trace, computer crime, reliability analysis, network security, packet sampling, traffic analysis, malware traffic analysis",

author = "Joseph Gardiner and Shishir Nagaraja",

year = "2014",

month = jan,

day = "1",

doi = "10.1007/978-3-319-12400-1_31",

language = "English",

isbn = "9783319123998",

volume = "8809",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer-Verlag",

pages = "321--333",

editor = "Frank Stajano and Vashek Maty{\'a}{\v s} and Petr {\v S}venda and Jonathan Anderson and Bruce Christianson and James Malcolm",

booktitle = "Security Protocols XXII - 22nd International Workshop, Revised Selected Papers",

}

Gardiner, J & Nagaraja, S 2014, On the reliability of network measurement techniques used for malware traffic analysis. in F Stajano, V Matyáš, P Švenda, J Anderson, B Christianson & J Malcolm (eds), Security Protocols XXII - 22nd International Workshop, Revised Selected Papers. vol. 8809, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8809, Springer-Verlag, Cham, pp. 321-333. https://doi.org/10.1007/978-3-319-12400-1_31

On the reliability of network measurement techniques used for malware traffic analysis. / Gardiner, Joseph; Nagaraja, Shishir.

Security Protocols XXII - 22nd International Workshop, Revised Selected Papers. ed. / Frank Stajano; Vashek Matyáš; Petr Švenda; Jonathan Anderson; Bruce Christianson; James Malcolm. Vol. 8809 Cham : Springer-Verlag, 2014. p. 321-333 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8809).

Research output: Chapter in Book/Report/Conference proceeding › Chapter

TY - CHAP

T1 - On the reliability of network measurement techniques used for malware traffic analysis

AU - Gardiner, Joseph

AU - Nagaraja, Shishir

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at securityconscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.

AB - Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at securityconscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.

KW - uniform sampling

KW - proportional fairness

KW - flow size

KW - flooding attack

KW - traffic trace

KW - computer crime

KW - reliability analysis

KW - network security

KW - packet sampling

KW - traffic analysis

KW - malware traffic analysis

UR - http://www.scopus.com/inward/record.url?scp=84921409947&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-12400-1_31

DO - 10.1007/978-3-319-12400-1_31

M3 - Chapter

AN - SCOPUS:84921409947

SN - 9783319123998

VL - 8809

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 321

EP - 333

BT - Security Protocols XXII - 22nd International Workshop, Revised Selected Papers

A2 - Stajano, Frank

A2 - Matyáš, Vashek

A2 - Švenda, Petr

A2 - Anderson, Jonathan

A2 - Christianson, Bruce

A2 - Malcolm, James

PB - Springer-Verlag

CY - Cham

ER -

Gardiner J, Nagaraja S. On the reliability of network measurement techniques used for malware traffic analysis. In Stajano F, Matyáš V, Švenda P, Anderson J, Christianson B, Malcolm J, editors, Security Protocols XXII - 22nd International Workshop, Revised Selected Papers. Vol. 8809. Cham: Springer-Verlag. 2014. p. 321-333. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-12400-1_31

On the reliability of network measurement techniques used for malware traffic analysis

Abstract

Publication series

Keywords

Access to Document

Other files and links

Fingerprint

Cite this