Behavioral clustering of HTTP-based malware and signature generation using malicious network traces

Proceedings of NSDI 2010: 7th USENIX Symposium on Networked Systems Design and Implementation

Volumn , Issue , 2010, Pages 391-404

  Perdisci, Roberto ^a,b   Lee, Wenke ^a   Feamster, Nick ^a  

^a Georgia Institute of Technology   (United States)

^b Damballa Inc   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

HTTP; SYSTEMS ANALYSIS;

CLUSTERING SYSTEM; HIGH QUALITY; NETWORK LEVEL; PROOF OF CONCEPT; REAL WORLD DEPLOYMENT; SIGNATURE GENERATION; SIMILARITY METRICS; STRUCTURAL SIMILARITY;

MALWARE;

EID: 85076751448     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (34)

1. Avira Anti-Virus. http://www.avira.com.
2. Collaborative Malware Collection and Sensing. https://alliance.mwcollect.org.
3. Koobface. http://blog.threatexpert.com/2008/12/koobface- leaves- victims- black- spot.html.
4. McAfee Anti-Virus. http://www.mcafee.com.
5. Project Malfease. http://malfease.oarci.net.
6. Snort IDS. http://www.snort.org.
7. Trend Micro Anti-Virus. http://www.trendmicro.com.
8. Zeus Tracker. https://zeustracker.abuse.ch/faq. php.
9. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In Recent Advances in Intrusion Detection, 2007.
10. U. Bayer, P. Milani Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Network and Distributed System Security Symposium, 2009.
11. D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. Botnet Detection, 2008.
12. L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In International conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.
13. J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In International symposium on Software testing and analysis, 2007.
14. D. Danchev. Web based botnet command and control kit 2.0, August 2008. http://ddanchev.blogspot.com/2008/08/web-based-botnet-command-and-control. html.
15. G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In USENIX Security, 2008.
16. F. Guo, P. Ferrie, and T. Chiueh. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection, 2008.
17. M. Halkidi, Y. Batistakis, and M. Vazirgiannis. On clustering validation techniques. J. Intell. Inf. Syst., 17(2-3):107-145, 2001.
18. A. K. Jain and R. C. Dubes. Algorithms for clustering data. Prentice-Hall, Inc., 1988.
19. A. K. Jain, M. N. Murty, and P. J. Flynn. Data clustering: a review. ACM Comput. Surv., 31(3):264-323, 1999.
20. J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy. Studying spamming botnets using botlab. In USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2009.
21. E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In USENIX Security, 2006.
22. V. Laurikari. TRE. http://www.laurikari.net/tre/.
23. Z. Liand, M. Sanghi, Y. Chen, M. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In IEEE Symposium on Security and Privacy, 2006.
24. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, 2005.
25. J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Recent Advances in Intrusion Detection (RAID), 2006.
26. J. Oberheide, E. Cooke, and F. Jahanian. CloudAV: N-Version antivirus in the network cloud. In USENIX Security, 2008.
27. D. Pelleg and A. W. Moore. X-means: Extending k-means with efficient estimation of the number of clusters. In International Conference on Machine Learning, 2000.
28. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleadingworm signature generators using deliberate noise injection. In IEEE Symposium on Security and Privacy, 2006.
29. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In ACM/USENIX Symposium on Operating System Design and Implementation, December 2004.
30. Symantec. Symantec Global Internet Security Threat Report trends for 2008, April 2009.
31. S. Wu and U. Manber. Agrep - a fast approximate pattern-matching tool. In USENIX Technical Conference, 1992.
32. Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In ACM SIGCOMM conference on data communication, 2008.
33. V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In USENIX Security Symposium, 2005.
34. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In ACM Conference on Computer and Communications Security, 2007.