Analysis on the Sequential Behavior of Malware Attacks
Summary :
Overcoming the highly organized and coordinated malware threats by botnets on the Internet is becoming increasingly difficult. A honeypot is a powerful tool for observing and catching malware and virulent activity in Internet traffic. Because botnets use systematic attack methods, the sequences of malware downloaded by honeypots have particular forms of coordinated pattern. This paper aims to discover new frequent sequential attack patterns in malware automatically. One problem is the difficulty in identifying particular patterns from full yearlong logs because the dataset is too large for individual investigations. This paper proposes the use of a data-mining algorithm to overcome this problem. We implement the PrefixSpan algorithm to analyze malware-attack logs and then show some experimental results. Analysis of these results indicates that botnet attacks can be characterized either by the download times or by the source addresses of the bots. Finally, we use entropy analysis to reveal how frequent sequential patterns are involved in coordinated attacks.
- Publication
- IEICE TRANSACTIONS on Information Vol.E94-D No.11 pp.2139-2149
- Publication Date
- 2011/11/01
- Publicized
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.E94.D.2139
- Type of Manuscript
- Special Section PAPER (Special Section on Information and Communication System Security)
- Category
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Nur Rohman ROSYID, Masayuki OHRUI, Hiroaki KIKUCHI, Pitikhate SOORAKSA, Masato TERADA, "Analysis on the Sequential Behavior of Malware Attacks" in IEICE TRANSACTIONS on Information,
vol. E94-D, no. 11, pp. 2139-2149, November 2011, doi: 10.1587/transinf.E94.D.2139.
Abstract: Overcoming the highly organized and coordinated malware threats by botnets on the Internet is becoming increasingly difficult. A honeypot is a powerful tool for observing and catching malware and virulent activity in Internet traffic. Because botnets use systematic attack methods, the sequences of malware downloaded by honeypots have particular forms of coordinated pattern. This paper aims to discover new frequent sequential attack patterns in malware automatically. One problem is the difficulty in identifying particular patterns from full yearlong logs because the dataset is too large for individual investigations. This paper proposes the use of a data-mining algorithm to overcome this problem. We implement the PrefixSpan algorithm to analyze malware-attack logs and then show some experimental results. Analysis of these results indicates that botnet attacks can be characterized either by the download times or by the source addresses of the bots. Finally, we use entropy analysis to reveal how frequent sequential patterns are involved in coordinated attacks.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E94.D.2139/_p
Copy
@ARTICLE{e94-d_11_2139,
author={Nur Rohman ROSYID, Masayuki OHRUI, Hiroaki KIKUCHI, Pitikhate SOORAKSA, Masato TERADA, },
journal={IEICE TRANSACTIONS on Information},
title={Analysis on the Sequential Behavior of Malware Attacks},
year={2011},
volume={E94-D},
number={11},
pages={2139-2149},
abstract={Overcoming the highly organized and coordinated malware threats by botnets on the Internet is becoming increasingly difficult. A honeypot is a powerful tool for observing and catching malware and virulent activity in Internet traffic. Because botnets use systematic attack methods, the sequences of malware downloaded by honeypots have particular forms of coordinated pattern. This paper aims to discover new frequent sequential attack patterns in malware automatically. One problem is the difficulty in identifying particular patterns from full yearlong logs because the dataset is too large for individual investigations. This paper proposes the use of a data-mining algorithm to overcome this problem. We implement the PrefixSpan algorithm to analyze malware-attack logs and then show some experimental results. Analysis of these results indicates that botnet attacks can be characterized either by the download times or by the source addresses of the bots. Finally, we use entropy analysis to reveal how frequent sequential patterns are involved in coordinated attacks.},
keywords={},
doi={10.1587/transinf.E94.D.2139},
ISSN={1745-1361},
month={November},}
Copy
TY - JOUR
TI - Analysis on the Sequential Behavior of Malware Attacks
T2 - IEICE TRANSACTIONS on Information
SP - 2139
EP - 2149
AU - Nur Rohman ROSYID
AU - Masayuki OHRUI
AU - Hiroaki KIKUCHI
AU - Pitikhate SOORAKSA
AU - Masato TERADA
PY - 2011
DO - 10.1587/transinf.E94.D.2139
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E94-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2011
AB - Overcoming the highly organized and coordinated malware threats by botnets on the Internet is becoming increasingly difficult. A honeypot is a powerful tool for observing and catching malware and virulent activity in Internet traffic. Because botnets use systematic attack methods, the sequences of malware downloaded by honeypots have particular forms of coordinated pattern. This paper aims to discover new frequent sequential attack patterns in malware automatically. One problem is the difficulty in identifying particular patterns from full yearlong logs because the dataset is too large for individual investigations. This paper proposes the use of a data-mining algorithm to overcome this problem. We implement the PrefixSpan algorithm to analyze malware-attack logs and then show some experimental results. Analysis of these results indicates that botnet attacks can be characterized either by the download times or by the source addresses of the bots. Finally, we use entropy analysis to reveal how frequent sequential patterns are involved in coordinated attacks.
ER -
English
