MalwareVis: entity-based visualization of malware network traces

This paper presents MalwareVis, a utility that provides security researchers a method to browse, filter, view and compare malware network traces as entities. Specifically, we propose a cell-like visualization model to view the network traces of a malware sample's execution. This model is a intuitive representation of the heterogeneous attributes (protocol, host ip, transmission size, packet number, duration) of a list of network streams associated with a malware instance. We encode these features into colors and basic geometric properties of common shapes. The list of streams is organized circularly in a clock-wise fashion to form an entity. Our design takes into account of the sparse and skew nature of these attributes' distributions and proposes mapping and layout strategies to allow a clear global view of a malware sample's behaviors. We demonstrate MalwareVis on a real-world corpus of malware samples and display their individual activity patterns. We show that it is a simple to use utility that provides intriguing visual representations that facilitate user interaction to perform security analysis.

[1]  John McHugh,et al.  FloVis: Flow Visualization System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[2]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[3]  Lorie M. Liebrock,et al.  Reversing Compiled Executables for Malware Analysis via Visualization , 2011, Inf. Vis..

[4]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[5]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[6]  Aaron Schulman,et al.  Visualizing Real-Time Network Resource Usage , 2008, VizSEC.

[7]  Mei C. Chuah,et al.  Dynamic aggregation with circular visual designs , 1998, Proceedings IEEE Symposium on Information Visualization (Cat. No.98TB100258).

[8]  Karthikeyan Marappan,et al.  Fast tone mapping for high dynamic range images , 2013, 2013 IEEE International Conference on Computational Intelligence and Computing Research.

[9]  Wayne G. Lutters,et al.  Preserving the big picture: visual network traffic analysis with TNV , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[10]  Daniel A. Keim,et al.  Large-Scale Network Monitoring for Visual Analysis of Attacks , 2008, VizSEC.

[11]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.