Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Koji NAKAO, Daisuke INOUE, Masashi ETO, Katsunari YOSHIOKA, "Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring" in IEICE TRANSACTIONS on Information,
vol. E92-D, no. 5, pp. 787-798, May 2009, doi: 10.1587/transinf.E92.D.787.
Abstract: Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E92.D.787/_p
Copy
@ARTICLE{e92-d_5_787,
author={Koji NAKAO, Daisuke INOUE, Masashi ETO, Katsunari YOSHIOKA, },
journal={IEICE TRANSACTIONS on Information},
title={Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring},
year={2009},
volume={E92-D},
number={5},
pages={787-798},
abstract={Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.},
keywords={},
doi={10.1587/transinf.E92.D.787},
ISSN={1745-1361},
month={May},}
Copy
TY - JOUR
TI - Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
T2 - IEICE TRANSACTIONS on Information
SP - 787
EP - 798
AU - Koji NAKAO
AU - Daisuke INOUE
AU - Masashi ETO
AU - Katsunari YOSHIOKA
PY - 2009
DO - 10.1587/transinf.E92.D.787
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E92-D
IS - 5
JA - IEICE TRANSACTIONS on Information
Y1 - May 2009
AB - Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.
ER -