BotProfiler: Detecting malware-infected hosts by profiling variability of malicious infrastructure

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Kazufumi Aoki, Takeo Hariu, Shigeki Goto

    Research output: Contribution to journalArticle

    Abstract

    Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in TTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

    Original languageEnglish
    Pages (from-to)1012-1023
    Number of pages12
    JournalIEICE Transactions on Communications
    VolumeE99B
    Issue number5
    DOIs
    Publication statusPublished - 2016 May 1

    Fingerprint

    Electronic crime countermeasures
    Malware
    Communication
    Costs
    Botnet

    Keywords

    • Botnet
    • Dynamic analysis
    • Malware
    • Template

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Computer Networks and Communications
    • Software

    Cite this

    BotProfiler : Detecting malware-infected hosts by profiling variability of malicious infrastructure. / Chiba, Daiki; Yagi, Takeshi; Akiyama, Mitsuaki; Aoki, Kazufumi; Hariu, Takeo; Goto, Shigeki.

    In: IEICE Transactions on Communications, Vol. E99B, No. 5, 01.05.2016, p. 1012-1023.

    Research output: Contribution to journalArticle

    Chiba, Daiki ; Yagi, Takeshi ; Akiyama, Mitsuaki ; Aoki, Kazufumi ; Hariu, Takeo ; Goto, Shigeki. / BotProfiler : Detecting malware-infected hosts by profiling variability of malicious infrastructure. In: IEICE Transactions on Communications. 2016 ; Vol. E99B, No. 5. pp. 1012-1023.
    @article{d178e216be034938bf912c532576bd93,
    title = "BotProfiler: Detecting malware-infected hosts by profiling variability of malicious infrastructure",
    abstract = "Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in TTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.",
    keywords = "Botnet, Dynamic analysis, Malware, Template",
    author = "Daiki Chiba and Takeshi Yagi and Mitsuaki Akiyama and Kazufumi Aoki and Takeo Hariu and Shigeki Goto",
    year = "2016",
    month = "5",
    day = "1",
    doi = "10.1587/transcom.2015AMP0001",
    language = "English",
    volume = "E99B",
    pages = "1012--1023",
    journal = "IEICE Transactions on Communications",
    issn = "0916-8516",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "5",

    }

    TY - JOUR

    T1 - BotProfiler

    T2 - Detecting malware-infected hosts by profiling variability of malicious infrastructure

    AU - Chiba, Daiki

    AU - Yagi, Takeshi

    AU - Akiyama, Mitsuaki

    AU - Aoki, Kazufumi

    AU - Hariu, Takeo

    AU - Goto, Shigeki

    PY - 2016/5/1

    Y1 - 2016/5/1

    N2 - Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in TTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

    AB - Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in TTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

    KW - Botnet

    KW - Dynamic analysis

    KW - Malware

    KW - Template

    UR - http://www.scopus.com/inward/record.url?scp=84969926598&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84969926598&partnerID=8YFLogxK

    U2 - 10.1587/transcom.2015AMP0001

    DO - 10.1587/transcom.2015AMP0001

    M3 - Article

    AN - SCOPUS:84969926598

    VL - E99B

    SP - 1012

    EP - 1023

    JO - IEICE Transactions on Communications

    JF - IEICE Transactions on Communications

    SN - 0916-8516

    IS - 5

    ER -