Skip to main content
SpringerLink
Log in

On the Reliability of Network Measurement Techniques Used for Malware Traffic Analysis

  • Conference paper
  • First Online:
Security Protocols XXII (Security Protocols 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8809))

Included in the following conference series:

Abstract

Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AT&T global networking facts. http://www.corp.att.com/gov/about_ags/fact_sheet

  2. The CAIDA UCSD Anonymized Internet Traces 2012. http://www.caida.org/data/passive/passive_2012_dataset.xml. Accessed 20 March 2013

  3. Cantieni, G.R., Iannaccone, G., Barakat, C., Diot, C., Thiran, P.: Reformulating the monitor placement problem: Optimal network-wide sampling. In: Proceedings of the 2006 ACM CoNEXT Conference, CoNEXT ’06, pp. 5:1–5:12. ACM, New York (2006)

    Google Scholar 

  4. Cisco Systems Inc., Cisco IOS Netflow. http://www.cisco.com/web/go/netflow

  5. Cohen, E., Duffield, N.G., Kaplan, H., Lund, C., Thorup, M.: Stream sampling for variance-optimal estimation of subset sums. In: Mathieu, C. (ed.) Proceedings of ACM-SIAM Symposium on Discrete Algorithms, pp. 1255–1264. SIAM (2009)

    Google Scholar 

  6. Cranor, C., Johnson, T., Spataschek, O., Shkapenyuk, V.: Gigascope: a stream database for network applications. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, SIGMOD ’03, pp. 647–651. ACM, New York (2003)

    Google Scholar 

  7. Duffield, N., Lund, C., Thorup, M.: Learn more, sample less: control of volume and variance in network measurement. IEEE Trans. Inf. Theory 51(5), 1756–1775 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  8. Estan, C., Varghese, G.: New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice. ACM Trans. Comput. Syst. 21(3), 270–313 (2003)

    Article  Google Scholar 

  9. Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pp. 375–388. ACM, New York (2007)

    Google Scholar 

  10. Horvitz, D.G., Thompson, D.J.: A generalization of sampling without replacement from a finite universe. J. Am. Stat. Assoc. 47(260), 663–685 (1952)

    Article  MathSciNet  MATH  Google Scholar 

  11. Hutchins, E.M., Clopperty, M.J., Amin, R.M.: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Technical report, Lockheed Martin Corporation, 2010. http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

  12. Krebs, B.: Security Firm Bit9 Hacked, Used to Spread Malware. Krebs on Security, 13 Feb 2013. http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

  13. Mandiant. APT1: Exposing One of Chinas Cyber Espionage Units. Technical report, 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

  14. Nagaraja, S., Anderson, R.: The snooping dragon: social-malware surveillance of the tibetan movement. Technical Report UCAM-CL-TR-746, University of Cambridge, (2009)

    Google Scholar 

  15. Nakashima, E.: Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies. The Washington Post, 27 May 2013. http://articles.washingtonpost.com/2013-05-27/world/39554997_1_u-s-missile-defenses-weapons-combat-aircraft

  16. Perlroth, N.: Hackers in China Attacked The Times for Last 4 Months. The New York Times, 30 January 2013. http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html

  17. Polychronakis, M., Mavrommatis, P., Provos, N.:. Ghost turns zombie: Exploring the life cycle of web-based malware. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET’08, pp. 11:1–11:8. USENIX Association, Berkeley (2008)

    Google Scholar 

  18. Provos, N., Rajab, M.A., Mavrommatis, P.: Cybercrime 2.0: When the cloud turns dark. Commun. ACM 52(4), 42–47 (2009)

    Article  Google Scholar 

  19. Sekar, V., Reiter, M.K., Willinger, W., Zhang, H., Kompella, R.R., Andersen, D.G.: Csamp: a system for network-wide flow monitoring. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI’08, pp. 233–246. USENIX Association, Berkeley (2008)

    Google Scholar 

  20. TrendLabs APT Research Team. Spear-Phishing Email: Most Favored APT Attack Bait. Technical report, Trend Micro Incorporated, 2012. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf

  21. Yu, M., Jose, L., Miao, R.: Software defined traffic measurement with opensketch. In: Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation, NSDI’13, pp. 29–42. USENIX Association, Berkeley (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Birmingham, Birmingham, B15 2TT, UK

    Joseph Gardiner & Shishir Nagaraja

Authors
  1. Joseph Gardiner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shishir Nagaraja
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shishir Nagaraja .

Editor information

Editors and Affiliations

  1. University of Hertfordshire, Hertfordshire, United Kingdom

    Bruce Christianson

  2. University of Hertfordshire, Hertfordshire, United Kingdom

    James Malcolm

  3. Masaryk University Faculty of Informatics, Brno, Czech Republic

    Vashek Matyáš

  4. Masaryk University Faculty of Informatics, Brno, Czech Republic

    Petr Å venda

  5. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

  6. Memorial University of Newfoundland, St. John's, Newfoundland and Labrador, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Gardiner, J., Nagaraja, S. (2014). On the Reliability of Network Measurement Techniques Used for Malware Traffic Analysis. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds) Security Protocols XXII. Security Protocols 2014. Lecture Notes in Computer Science(), vol 8809. Springer, Cham. https://doi.org/10.1007/978-3-319-12400-1_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12400-1_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12399-8

  • Online ISBN: 978-3-319-12400-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation