TY - GEN
T1 - Malflow
T2 - 31st Annual ACM Symposium on Applied Computing, SAC 2016
AU - Wüchner, Tobias
AU - Ochoa, Martín
AU - Golagha, Mojdeh
AU - Srivastava, Gaurav
AU - Schreck, Thomas
AU - Pretschner, Alexander
N1 - Publisher Copyright:
© 2016 ACM.
PY - 2016/4/4
Y1 - 2016/4/4
N2 - Modern malware interacts with multiple internet domains for various reasons: communication with command and control (C&C) servers, boosting click counts on online ads or performing denial of service attacks, among others. The identification of malign domains is thus necessary to prevent (and react to) incidents. Since malware creators constantly generate new domains to avoid detection, maintaining uptodate lists of malign domains is challenging. We propose an approach that automatically estimates the risk associated with communicating with a domain based on the data flow behavior of a process communicating with it. Our approach uses unsupervised learning on data flow profiles that capture communication of processes with network endpoints at system call level to distinguish between likely malign or benign behavior. Our evaluations on a large and diverse data set indicate a high detection accuracy and a reasonable performance overhead. We further discuss how this concept can be used in an operational setting for fine-grained enforcement of risk-based incident response actions.
AB - Modern malware interacts with multiple internet domains for various reasons: communication with command and control (C&C) servers, boosting click counts on online ads or performing denial of service attacks, among others. The identification of malign domains is thus necessary to prevent (and react to) incidents. Since malware creators constantly generate new domains to avoid detection, maintaining uptodate lists of malign domains is challenging. We propose an approach that automatically estimates the risk associated with communicating with a domain based on the data flow behavior of a process communicating with it. Our approach uses unsupervised learning on data flow profiles that capture communication of processes with network endpoints at system call level to distinguish between likely malign or benign behavior. Our evaluations on a large and diverse data set indicate a high detection accuracy and a reasonable performance overhead. We further discuss how this concept can be used in an operational setting for fine-grained enforcement of risk-based incident response actions.
KW - Command and control server
KW - Data flow analysis
KW - Malware
UR - http://www.scopus.com/inward/record.url?scp=84975795255&partnerID=8YFLogxK
U2 - 10.1145/2851613.2851802
DO - 10.1145/2851613.2851802
M3 - Conference contribution
AN - SCOPUS:84975795255
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 2087
EP - 2094
BT - 2016 Symposium on Applied Computing, SAC 2016
PB - Association for Computing Machinery
Y2 - 4 April 2016 through 8 April 2016
ER -