Eventpad: Rapid Malware Analysis and Reverse Engineering using Visual Analytics

Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.

[1]  Sandro Etalle,et al.  From Intrusion Detection to Software Design , 2017, ESORICS.

[2]  Krzysztof Cabaj VISUALIZATION AS SUPPORT FOR WEB HONEYPOT DATA ANALYSIS , 2015 .

[3]  Wei Chen,et al.  A survey of network anomaly visualization , 2017, Science China Information Sciences.

[4]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[5]  Aderemi A. Atayero,et al.  Ransomware: Current Trend, Challenges, and Research Directions , 2017 .

[6]  Dimitris Gritzalis,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012, Comput. Secur..

[7]  Francis Bach,et al.  ILAB: An Interactive Labelling Strategy for Intrusion Detection , 2017, RAID.

[8]  Tamara Munzner,et al.  A Nested Model for Visualization Design and Validation , 2009, IEEE Transactions on Visualization and Computer Graphics.

[9]  Lynn S. Paine,et al.  Trend Micro (A) , 2003 .

[10]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[11]  Terran Lane,et al.  Improving malware classification: bridging the static/dynamic gap , 2012, AISec.

[12]  Jarke J. van Wijk,et al.  Understanding the context of network traffic alerts , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[13]  Alexey Tsymbal,et al.  The problem of concept drift: definitions and related work , 2004 .

[14]  Wolfgang Aigner,et al.  A knowledge-assisted visual malware analysis system: Design, validation, and reflection of KAMAS , 2016, Comput. Secur..

[15]  B. S. Manjunath,et al.  Malware images: visualization and automatic classification , 2011, VizSec '11.

[16]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[17]  Jarke J. van Wijk,et al.  Exploring Multivariate Event Sequences Using Rules, Aggregations, and Selections , 2018, IEEE Transactions on Visualization and Computer Graphics.

[18]  Christopher G. Healey,et al.  Flexible web visualization for alert-based network security analytics , 2013, VizSec '13.

[19]  Wil M. P. van der Aalst,et al.  Trace Alignment in Process Mining: Opportunities for Process Diagnostics , 2010, BPM.

[20]  Daniel A. Keim,et al.  A Survey of Visualization Systems for Malware Analysis , 2015, EuroVis.

[21]  Srinivas Mukkamala,et al.  Visualization techniques for efficient malware detection , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[22]  Rob Sloan,et al.  Advanced Persistent Threat , 2014 .

[23]  Gregory J. Conti,et al.  Visual exploration of malicious network objects using semantic zoom, interactive encoding and dynamic queries , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[24]  Wolfgang Aigner,et al.  Rule Creation in a Knowledge-assisted Visual Analytics Prototype for Malware Analysis , 2017, Forum Media Technology.

[25]  Yarden Livnat,et al.  A visualization paradigm for network intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[26]  Raúl Monroy,et al.  Towards a Masquerade Detection System Based on User's Tasks , 2014, RAID.

[27]  John T. Stasko,et al.  Toward a Deeper Understanding of the Role of Interaction in Information Visualization , 2007, IEEE Transactions on Visualization and Computer Graphics.

[28]  Jarke J. van Wijk,et al.  SNAPS: Semantic network traffic analysis through projection and selection , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).