IEICE TRANSACTIONS on Communications
Open Access
BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure
-
Full Text Views
40
- Cite this
- Free PDF (2.1MB)
Summary :
Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.
- Publication
- IEICE TRANSACTIONS on Communications Vol.E99-B No.5 pp.1012-1023
- Publication Date
- 2016/05/01
- Publicized
- Online ISSN
- 1745-1345
- DOI
- 10.1587/transcom.2015AMP0001
- Type of Manuscript
- Special Section PAPER (Special Section on Internet Architectures and Management Methods that Enable Flexible and Secure Deployment of Network Services)
- Category
Authors
Daiki CHIBA
NTT Corporation,Waseda University
Takeshi YAGI
NTT Corporation
Mitsuaki AKIYAMA
NTT Corporation
Kazufumi AOKI
NTT Corporation
Takeo HARIU
NTT Corporation
Shigeki GOTO
Waseda University
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Daiki CHIBA, Takeshi YAGI, Mitsuaki AKIYAMA, Kazufumi AOKI, Takeo HARIU, Shigeki GOTO, "BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure" in IEICE TRANSACTIONS on Communications,
vol. E99-B, no. 5, pp. 1012-1023, May 2016, doi: 10.1587/transcom.2015AMP0001.
Abstract: Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.
URL: https://global.ieice.org/en_transactions/communications/10.1587/transcom.2015AMP0001/_p
Copy
@ARTICLE{e99-b_5_1012,
author={Daiki CHIBA, Takeshi YAGI, Mitsuaki AKIYAMA, Kazufumi AOKI, Takeo HARIU, Shigeki GOTO, },
journal={IEICE TRANSACTIONS on Communications},
title={BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure},
year={2016},
volume={E99-B},
number={5},
pages={1012-1023},
abstract={Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.},
keywords={},
doi={10.1587/transcom.2015AMP0001},
ISSN={1745-1345},
month={May},}
Copy
TY - JOUR
TI - BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure
T2 - IEICE TRANSACTIONS on Communications
SP - 1012
EP - 1023
AU - Daiki CHIBA
AU - Takeshi YAGI
AU - Mitsuaki AKIYAMA
AU - Kazufumi AOKI
AU - Takeo HARIU
AU - Shigeki GOTO
PY - 2016
DO - 10.1587/transcom.2015AMP0001
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E99-B
IS - 5
JA - IEICE TRANSACTIONS on Communications
Y1 - May 2016
AB - Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.
ER -
English
