Analysis on the Sequential Behavior of Malware Attacks

Overcoming the highly organized and coordinated malware threats by botnets on the Internet is becoming increasingly difficult. A honeypot is a powerful tool for observing and catching malware and virulent activity in Internet traffic. Because botnets use systematic attack methods, the sequences of malware downloaded by honeypots have particular forms of coordinated pattern. This paper aims to discover new frequent sequential attack patterns in malware automatically. One problem is the difficulty in identifying particular patterns from full yearlong logs because the dataset is too large for individual investigations. This paper proposes the use of a data-mining algorithm to overcome this problem. We implement the PrefixSpan algorithm to analyze malware-attack logs and then show some experimental results. Analysis of these results indicates that botnet attacks can be characterized either by the download times or by the source addresses of the bots. Finally, we use entropy analysis to reveal how frequent sequential patterns are involved in coordinated attacks.

[1]  Toshinori Sueyoshi,et al.  Extraction of Characteristics of Anomaly Accessed IP Packets by the Entropy-Based Analysis , 2008, 2008 International Conference on Complex, Intelligent and Software Intensive Systems.

[2]  Ram Dantu,et al.  Behavior analysis of spam botnets , 2008, 2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE '08).

[3]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[4]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[5]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[6]  Hossein Rouhani Zeidanloo,et al.  Botnet Command and Control Mechanisms , 2009, 2009 Second International Conference on Computer and Electrical Engineering.

[7]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[8]  Bill McCarty,et al.  Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[9]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[10]  Ramakrishnan Srikant,et al.  Mining sequential patterns , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[11]  Qiming Chen,et al.  PrefixSpan,: mining sequential patterns efficiently by prefix-projected pattern growth , 2001, Proceedings 17th International Conference on Data Engineering.

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  Robert Lyda,et al.  Using Entropy Analysis to Find Encrypted and Packed Malware , 2007, IEEE Security & Privacy.

[14]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[15]  Masashi Fujiwara,et al.  Heuristics for Detecting Botnet Coordinated Attacks , 2010, 2010 International Conference on Availability, Reliability and Security.