Causality reasoning about network events for detecting stealthy malware activities
| Autor: | Danfeng Yao, Naren Ramakrishnan, Hao Zhang, Zhibin Zhang |
|---|---|
| Jazyk: | angličtina |
| Předmět: |
Traffic analysis
Software_OPERATINGSYSTEMS General Computer Science Network security Computer science 0211 other engineering and technologies 02 engineering and technology Anomaly detection Security policy computer.software_genre Computer security Cryptovirology 0202 electrical engineering electronic engineering information engineering 021110 strategic defence & security studies business.industry Stealthy malware 020206 networking & telecommunications Statistical classification Malware Dependence analysis business Law computer Machine learning classification Computer Science(all) |
| Zdroj: | Computers & Security. :180-198 |
| ISSN: | 0167-4048 |
| DOI: | 10.1016/j.cose.2016.01.002 |
| Popis: | Malicious software activities have become more and more clandestine, making them challenging to detect. Existing security solutions rely heavily on the recognition of known code or behavior signatures, which are incapable of detecting new malware patterns. We propose to discover the triggering relations on network requests and leverage the structural information to identify stealthy malware activities that cannot be attributed to a legitimate cause. The triggering relation is defined as the temporal and causal relationship between two events. We design and compare rule- and learning-based methods to infer the triggering relations on network data. We further introduce a user-intention based security policy for pinpointing stealthy malware activities based on a triggering relation graph. We extensively evaluate our solution on a DARPA dataset and 7 GB real-world network traffic. Results indicate that our dependence analysis successfully detects various malware activities including spyware, data exfiltrating malware, and DNS bots on hosts. With good scalability for large datasets, the learning-based method achieves better classification accuracy than the rule-based one. The significance of our traffic reasoning approach is its ability to detect new and stealthy malware activities. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|