Malware detection may be accomplished through the analysis of their infection behavior. To do so, dynamic analysis systems run malware samples and extract their operating system activities and network traffic. This traffic may represent malware accessing external systems, either to steal sensitive data from victims or to fetch other malicious artifacts (configuration files, additional modules, commands). In this work, we propose the use of visualization as a tool to identify compromised systems based on correlating malware communications in the form of graphs and finding isomorphisms between them. We produced graphs from over 6 thousand distinct network traffic files captured during malware execution and analyzed the existing relationships among malware samples and IP addresses.
SkyServer is an Internet portal to data from the Sloan Digital Sky Survey, the largest online archive of astronomy
data in the world. provides free access to hundreds of millions of celestial objects for science, education and
outreach purposes. Logs of accesses to SkyServer comprise around 930 million hits, 140 million web services
accesses and 170 million SQL submitted queries, collected over the past 10 years. These logs also contain
indications of compromise attempts on the servers. In this paper, we show some threats that were detected in
ten years of stored logs, and compare them with known threats in those years. Also, we present an analysis of
the evolution of those threats over these years.
Malware spread via Internet is a great security threat, so studying their behavior is important to identify and classify
them. Using SSDT hooking we can obtain malware behavior by running it in a controlled environment and capturing
interactions with the target operating system regarding file, process, registry, network and mutex activities. This
generates a chain of events that can be used to compare them with other known malware. In this paper we present a
simple approach to convert malware behavior into activity graphs and show some visualization techniques that can be
used to analyze malware behavior, individually or grouped.
Malicious code (malware) that spreads through the Internet-such as viruses, worms and trojans-is a major threat
to information security nowadays and a profitable business for criminals. There are several approaches to analyze
malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious
behaviors. In this article we propose a tool to analyze malware behavior in a non-intrusive and effective way,
extending the analysis possibilities to cover malware samples that bypass current approaches and also fixes some
issues with these approaches.
Malware has become a major threat in the last years due to the ease of spread through the Internet. Malware detection
has become difficult with the use of compression, polymorphic methods and techniques to detect and disable security
software. Those and other obfuscation techniques pose a problem for detection and classification schemes that analyze
malware behavior. In this paper we propose a distributed architecture to improve malware collection using different
honeypot technologies to increase the variety of malware collected. We also present a daemon tool developed to grab
malware distributed through spam and a pre-classification technique that uses antivirus technology to separate malware
in generic classes.
As the amount and types of remote network services increase, the analysis of their logs has become a
very difficult and time consuming task. There are several ways to filter relevant information and
provide a reduced log set for analysis, such as whitelisting and intrusion detection tools, but all of
them require too much fine- tuning work and human expertise. Nowadays, researchers are evaluating
data mining approaches for intrusion detection in network logs, using techniques such as genetic
algorithms, neural networks, clustering algorithms, etc. Some of those techniques yield good results,
yet requiring a very large number of attributes gathered by network traffic to detect useful
information. In this work we apply and evaluate some data mining techniques (K-Nearest Neighbors,
Artificial Neural Networks and Decision Trees) in a reduced number of attributes on some log data
sets acquired from a real network and a honeypot, in order to classify traffic logs as normal or
suspicious. The results obtained allow us to identify unlabeled logs and to describe which attributes
were used for the decision. This approach provides a very reduced amount of logs to the network
administrator, improving the analysis task and aiding in discovering new kinds of attacks against