Elsevier

Computers & Security

Volume 58, May 2016, Pages 180-198
Computers & Security

Causality reasoning about network events for detecting stealthy malware activities1

https://doi.org/10.1016/j.cose.2016.01.002Get rights and content
Under a Creative Commons license
open access

Abstract

Malicious software activities have become more and more clandestine, making them challenging to detect. Existing security solutions rely heavily on the recognition of known code or behavior signatures, which are incapable of detecting new malware patterns. We propose to discover the triggering relations on network requests and leverage the structural information to identify stealthy malware activities that cannot be attributed to a legitimate cause. The triggering relation is defined as the temporal and causal relationship between two events. We design and compare rule- and learning-based methods to infer the triggering relations on network data. We further introduce a user-intention based security policy for pinpointing stealthy malware activities based on a triggering relation graph. We extensively evaluate our solution on a DARPA dataset and 7 GB real-world network traffic. Results indicate that our dependence analysis successfully detects various malware activities including spyware, data exfiltrating malware, and DNS bots on hosts. With good scalability for large datasets, the learning-based method achieves better classification accuracy than the rule-based one. The significance of our traffic reasoning approach is its ability to detect new and stealthy malware activities.

Keywords

Network security
Anomaly detection
Stealthy malware
Traffic analysis
Dependence analysis
Machine learning classification

Cited by (0)

Hao Zhang received his Ph.D. degree in Computer Science from Virginia Tech in 2015. He was a member of the Human-Centric Security Laboratory directed by Professor Danfeng Yao. He received his M.S. degree in Computer Science from Villanova University, PA in 2010. He holds a U.S. patent on his network anomaly detection technology. His current research interest is on designing machine learning methods for network and mobile security.

Danfeng (Daphne) Yao is an associate professor and L-3 Faculty Fellow in the Department of Computer Science at Virginia Tech, Blacksburg. She received her Computer Science Ph.D. degree from Brown University in 2007. She received the NSF CAREER Award in 2010 for her work on human-behavior driven malware detection, and most recently ARO Young Investigator Award for her semantic reasoning for mission-oriented security work in 2014. She received the Outstanding New Assistant Professor Award from Virginia Tech College of Engineering in 2012. Dr. Yao has several Best Paper Awards (e.g., ICICS ‘06, CollaborateCom ‘09, and ICNP ‘12) and Best Poster Awards (e.g., ACM CODASPY ‘15). She was given the Award for Technological Innovation from Brown University in 2006. She held a U.S. patent for her anomaly detection technologies. Dr. Yao is an associate editor of IEEE Transactions on Dependable and Secure Computing (TDSC). She serves as PC members in numerous computer security conferences, including ACM CCS. She has over 65 peer-reviewed publications in major security and privacy conferences and journals.

Naren Ramakrishnan is the Thomas L. Phillips Professor of Engineering at Virginia Tech. He directs the Discovery Analytics Center, a university-wide effort that brings together researchers from computer science, statistics, mathematics, and electrical and computer engineering to tackle knowledge discovery problems in important areas of national interest, including intelligence analysis, sustainability, and electronic medical records. He received his PhD in computer sciences from Purdue University.

Zhibin Zhang is an associate professor at Institute of Computing Technology, Chinese Academy of Sciences. He received his Ph.D. degree in Computer Science from Institute of Computing Technology, Chinese Academy of Sciences in 2007. His research interests lie in the area of network measurement and security, traffic classification, distributed system and machine learning.

1

The preliminary version of this work appeared in the Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Kyoto, Japan, June 2014 (Zhang et al., 2012) and in the Proceedings of 33th IEEE Symposium on Security and Privacy Workshops (SPW), San Francisco, CA, May 2012 (Zhang et al, 2012, Zhang et al, 2014). This work was supported in part by an NSF grant CAREER CNS-0953638, ARO YIP W911NF-14-1-0535, and L-3 communications.