Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring

IEICE Transactions on Information and Systems

Volumn E92-D, Issue 5, 2009, Pages 787-798

  Nakao, Koji ^a   Inoue, Daisuke ^a   Eto, Masashi ^a   Yoshioka, Katsunari ^b  

^a NATIONAL INSTITUTE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY   (Japan)

^b YOKOHAMA NATIONAL UNIVERSITY   (Japan)

Author keywords

Correlation analysis; Darknet malware analysis; Network monitoring; Sandbox

Indexed keywords

COMPUTER CRIME; CORRELATION METHODS;

CORRELATION ANALYSIS; INTER-RELATIONSHIPS; MACROSCOPIC APPROACH; MALWARE ANALYSIS; NETWORK MONITORING; PRACTICAL SOLUTIONS; RESEARCH ACTIVITIES; SANDBOX;

MALWARE;

EID: 76249083391     PISSN: 09168532     EISSN: 17451361     Source Type: Journal    
DOI: 10.1587/transinf.E92.D.787     Document Type: Article

References (29)

1. M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, "The internet motion sensor: A distributed blackhole monitoring system, " 12th Annual Network and Distributed System Security Symposium (NDSS05), 2005.
2. D. Moore, "Network telescopes: tracking denial-of-service attacks and internet worms around the globe, " 17th Large Installation Systems Administration Conference (LISA'03), USENIX, 2003.
3. V. Yegneswaran, P. Barford, and D. Plonka, "On the design and use of Internet sinks for network abuse monitoring, " 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), LNCS 3224, pp. 146-165, 2004.
4. SANS Internet Storm Center, http://isc.sans.org/
5. REN-ISAC: Research and Education Networking Information Sharing and Analysis Center, http://www.ren-isac.net/
6. Leurrecom.org Honeypot project, http://www.leurrecom.org/
7. National Cyber Security Center, Korea, http://www.ncsc.go.kr/eng/
8. Telecom Information Sharing and Analysis Center, Japan, https://www.telecom-isac.jp/
9. IT Security Center, Information-Technology Promotion Agency, Japan, https://www.ipa.go.jp/security/index-e.html
10. Japan Computer Emergency Response Team Coordination Center, http://jpcert.jp/isdas/index-en. html
11. police, http://www.cyberpolice.go.jp/english/obs e.html
12. M. Bailey, E. Cooke, F. Jahanian, A. Myrick, and S. Sinha, "Practical darknet measurement, " 2006 Conference on Information Sciences and Systems (CISS '06), pp. 1496-1501, 2006.
13. N. Provos, "Honeyd: A virtual honeypot daemon, " 10th DFN-CERT Workshop, 2003.
14. N. Provos, "A virtual honeypot framework, " 13th USENIX Security Symposium, pp. 1-14, 2004.
15. E. Alata, V. Nicomette, M. Kaaniche, and M. Dacier, "Lessons learned from the deployment of a high-interaction honeypot, " 6th European Dependable Computing Conference (EDCC-6), pp. 39-44, 2006.
16. C. Leita, M. Dacier, and F. Massicotte, "Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots, " 9th International Symposium on Recent Advances in Intrusion Detection (RAID2006), pp. 185-205, 2006.
17. R. Isawa, S. Ichikawa, Y. Shiraishi, M. Mohri, and M. Morii, "A virus analysis supporting system; for automatic grasping virus behavior by code-analysis result, " Computer Security Symposium 2005 (CSS2005), vol. 1, pp. 169-174, 2006.
18. D. Inoue, M. Eto, K. Yoshioka, Y. Hoshizawa, R. Isawa, M. Morii, and K. Nakao, "Micro analysis system for analyzing malware code and its behavior on nicter, " 2007 Symposium on Cryptography and Information Security (SCIS2007), 2F2-1, 2007.
19. Y. Hoshizawa, M. Morii, and K. Nakao, "A proposal of automated malware behavior analysis system, Information and Communication System Security, " IEICE Technical Report, ICSS2006-07, 2006.
20. C. Willems, T. Holz, and F. Freiling, "Toward automated dynamic malware analysis using CWSandbox, " IEEE Security & Privacy Magazine, vol. 5, no. 2, pp. 32-39, 2007.
21. NORMAN Sandbox Information Center, http://www.norman. com/microsites/nsic/
22. K. Nakao, F. Matsumoto, D. Inoue, S. Baba, K. Suzuki, M. Eto, K. Yoshioka, K. Rikitake, and Y. Hori, "Visualization technologies of nicter incident analysis system, " IEICE Technical Report, ISEC-176, 2006.
23. K. Nakao, K. Yoshioka, D. Inoue, M. Eto, and K. Rikitake, "nicter: An incident analysis system using correlation between network monitoring and malware analysis, " 1st Joint Workshop on Information Security (JWIS06), pp. 363-377, 2006.
24. K. Yoshioka, M. Eto, D. Inoue, and K. Nakao, "Macro-micro correlation analysis for binding darknet traffic and malwares, " 2007 Symposium on Cryptography and Information Security (SCIS2007), 2F2-2, 2007.
25. K. Nakao, K. Yoshioka, D. Inoue, and M. Eto, "A novel concept of network incident analysis based on multi-layer observations of malware activities, " 2nd Joint Workshop on Information Security (JWIS07), pp. 267-279, 2007.
26. D. Inoue, M. Eto, K. Yoshioka, S. Baba, K. Suzuki, J. Nakazato, K. Ohtaka, and K. Nakao, "nicter: An incident analysis system toward binding network monitoring with malware analysis, " WOMBAT Workshop on Information Security Threats Data Collection and Sharing (WISTDCS 2008), pp. 58-66, 2008.
27. K. Suzuki, S. Baba, and H. Takakura, "Analyzing traffic directed to unused IP address blocks, " IEICE Technical Report, IA2005-23, Jan. 2006.
28. J. Takeuchi and K. Yamanishi, "A unifying framework for detecting outliers and change points from non-stationary time series data, " IEEE Trans. Knowledge Data Eng., vol. 18, no. 4, pp. 482-489, 2006.
29. P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. C. Freiling, "The nepenthes platform: an efficient approach to collect malware, " 9th International Symposium on Recent Advances in Intrusion Detection, (RAID 2006), pp. 165-184, 2006.