MARS: From traffic containment to network reconfiguration in malware-analysis systems
Autor: | João Marcelo Ceron, Lisandro Zambenedetti Granville, Cintia Borges Margi |
---|---|
Rok vydání: | 2017 |
Předmět: |
Software_OPERATINGSYSTEMS
Access network Cyber-collection Computer Networks and Communications business.industry Process (engineering) Computer science REDES DE COMPUTADORES 020206 networking & telecommunications 02 engineering and technology Network layer computer.software_genre Computer security 020204 information systems Sandbox (computer security) 0202 electrical engineering electronic engineering information engineering Malware Malware analysis business computer Computer network |
Zdroj: | Repositório Institucional da USP (Biblioteca Digital da Produção Intelectual) Universidade de São Paulo (USP) instacron:USP |
ISSN: | 1389-1286 |
DOI: | 10.1016/j.comnet.2017.10.003 |
Popis: | Malware analysis systems are essential to characterize malware behavior and to improve defense mechanisms. In dynamic malware analysis, the actions performed by malware in a sandbox are highly dependent on the interactions with other hosts and services. However, the current solutions superficially deal with the network environment that surrounds the sandbox, exposing limitations to traffic containment and network resources reconfiguration. We have already shown how Software-Defined Networking (SDN) could enable network access policies changes and thus exposing distinct malware actions. In this paper, we investigate the malware analysis process by considering the entire analysis environment, including a sandbox and other components that comprise it. We developed a fully-automated malware analysis solution that uses network layer as a tool to reconfigure the analysis environment. In that way, it is possible to implement per-flow containment rules, dynamic resources configuration, and to manipulate network traffic to impersonate services. Our experiments show that it is feasible to identify behavioral deviations in different analysis scenarios and reveal many more malware behaviors than those revealed by the state-of-the-art analysis systems. |
Databáze: | OpenAIRE |
Externí odkaz: |