FIRMA: Malware clustering and network signature generation with mixed network behaviors

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8145 LNCS, Issue , 2013, Pages 144-163

  Rafique, M Zubair ^a   Caballero, Juan ^a  

^a IMDEA SOFTWARE INSTITUTE   (Spain)

Author keywords

Malware Clustering; Network Signatures; Signature Generation

Indexed keywords

AUTOMATIC TOOLS; BEHAVIORAL SIGNATURES; MALWARE FAMILIES; MALWARES; NETWORK ADMINISTRATOR; NETWORK BEHAVIORS; POLYMORPHIC VARIANT; SIGNATURE GENERATION;

INTERNET PROTOCOLS; TOOLS;

COMPUTER CRIME;

EID: 84888354292     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-41284-4_8     Document Type: Conference Paper

References (42)

1. Abouelhoda, M.I., Kurtz, S., Ohlebusch, E.: Replacing suffix trees with enhanced suffix arrays. Journal of Discrete Algorithms 2(1) (2004)
2. Anubis: Analyzing unknown binaries, http://anubis.iseclab.org/
3. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178-197. Springer, Heidelberg (2007)
4. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS (2009)
5. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: Usenixsecurity (2011)
6. Caballero, J., Johnson, N.M., McCamant, S., Song, D.: Binary code extraction and interface identification for security applications. In: NDSS (2010)
7. Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In: CCS (2007)
8. Chvatal, V.: A greedy heuristic for the set-covering problem. Mathematics of Operations Research 4(3) (1979)
9. Cui, W., Peinado, M., Wang, H.J., Locasto, M.: shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing, Oakland (2007)
10. Dreger, H., Feldmann, A.,Mai, M., Paxson, V., Sommer, R.: Dynamic application-layer protocol analysis for network intrusion detection. In: Usenixsecurity (2006)
11. Graziano, M., Leita, C., Balzarotti, D.: Towards network containment in malware analysis systems. In: ACSAC (2012)
12. Grier, C., et al.:Manufacturing compromise: The emergence of exploit-as-a-service. In: CCS (2012)
13. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: Usenixsecurity (2008)
14. Guo, F., Ferrie, P., Chiueh, T.-C.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 98-115. Springer, Heidelberg (2008)
15. Haffner, P., Sen, S., Spatscheck, O., Wang, D.: acas: Automated construction of application signatures. In: Minenet (2005)
16. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: Feature hashing malware for scalable triage and semantic analysis. In: CCS (2011)
17. John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: NSDI (2009)
18. Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Usenixsecurity (2004)
19. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: Usenixsecurity (2006)
20. Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: Hotnets (2003)
21. Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: gq: Practical containment for measuring modern malware systems. In: IMC (2011)
22. Li, Z., Sanghi, M., Chavez, B., Chen, Y., Kao, M.-Y.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience, Oakland (2006)
23. The malicia project, http://malicia-project.com/.
24. Nappa, A., Rafique, M.Z., Caballero, J.: Driving in the cloud: An analysis of drive-by download operations and abuse reporting. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 1-20. Springer, Heidelberg (2013)
25. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms, Oakland (2005)
26. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: NSDI (2010)
27. Perdisci, R., Vamo, M.U.: Towards a fully automated malware clustering validity analysis. In: ACSAC (2012)
28. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108-125. Springer, Heidelberg (2008)
29. Rieck, K., Schwenk, G., Limmer, T., Holz, T., Laskov, P.: Botzilla: Detecting the phoning home of malicious software. In: ACM Symposium on Applied Computing (2010)
30. Rossow, C., Dietrich, C.J.: PRO VEX: Detecting botnets with encrypted command and control channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21-40. Springer, Heidelberg (2013)
31. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: Badgers (2011)
32. Singh, S.,Estan,C.,Varghese,G., Savage, S.:Automatedwormfingerprinting. In:Osdi (2004)
33. Snort, http://www.snort.org/.
34. Suricata, http://suricata-ids.org/.
35. Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic memory-efficient string matching algorithms for intrusion detection. In: Infocom (2004)
36. Vrable, M., Ma, J.,Chen, J., Moore, D.,Vandekieft, E., Snoeren,A.C.,Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In: SOSP (2005)
37. Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227-246. Springer, Heidelberg (2006)
38. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232-249. Springer, Heidelberg (2009)
39. Wyke, J.: The zeroaccess botnet (2012), http://www.sophos.com/en-us/why- sophos/our-people/technical-papers/zeroaccess-botnet.aspx
40. Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: Signatures and characteristics. In: Sigcomm (2008)
41. Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semanticsaware signatures. In: Usenixsecurity (2005)
42. Yin, H., Song, D., Manuel, E., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS (2007)