12 May 2016 Identifying compromised systems through correlation of suspicious traffic from malware behavioral analysis
Author Affiliations +
Abstract
Malware detection may be accomplished through the analysis of their infection behavior. To do so, dynamic analysis systems run malware samples and extract their operating system activities and network traffic. This traffic may represent malware accessing external systems, either to steal sensitive data from victims or to fetch other malicious artifacts (configuration files, additional modules, commands). In this work, we propose the use of visualization as a tool to identify compromised systems based on correlating malware communications in the form of graphs and finding isomorphisms between them. We produced graphs from over 6 thousand distinct network traffic files captured during malware execution and analyzed the existing relationships among malware samples and IP addresses.
© (2016) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Ana E. F. Camilo, Ana E. F. Camilo, André Grégio, André Grégio, Rafael D. C. Santos, Rafael D. C. Santos, "Identifying compromised systems through correlation of suspicious traffic from malware behavioral analysis", Proc. SPIE 9826, Cyber Sensing 2016, 982606 (12 May 2016); doi: 10.1117/12.2223968; https://doi.org/10.1117/12.2223968
PROCEEDINGS
10 PAGES


SHARE
RELATED CONTENT

Defense and security of a wireless tactical network
Proceedings of SPIE (August 27 2001)
Visualization techniques for malware behavior analysis
Proceedings of SPIE (June 02 2011)
Type enforcement: the new security model
Proceedings of SPIE (January 18 1996)
Using OpenSSH to secure mobile LAN network traffic
Proceedings of SPIE (August 05 2002)
Internet firewalls: questions and answers
Proceedings of SPIE (March 11 1996)

Back to Top