An Integrated Framework for Malware Collection and Analysis for Botnet Tracking

The paper presents the design of an integrated malware collection and analysis framework for botnet tracking. In proposed framework we have used Honypots as malware capturing tool. The proposed system design is unique in the sense that the information regarding the configuration of honeypot on which malware sample has been captured is saved with malware sample in the malware data-base. This system configuration information saved with the malware sample is used at the time of dynamic malware analysis for creating malware execution environment. As an execution environment thus created is analogous to environment in which malware was captured therefore it generates true expected execution behavior leading to capturing of accurate execution traces. Further we have demonstrated the effectiveness of the proposed solution with the help of a prototype system.

[1]  Saurabh Chamotra,et al.  Honeysand: An Open Source Tools based Sandbox Environment for Bot Analysis and Botnet Tracking , 2012 .

[2]  Kara L. Nance,et al.  Dynamic Honeypot Construction , 2006 .

[3]  M. Dacier,et al.  The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[4]  Sushil Jajodia,et al.  CARDS: A Distributed System for Detecting Coordinated Attacks , 2000, SEC.

[5]  Saurabh Chamotra,et al.  Data diversity of a distributed honey net based malware collection system , 2011, 2011 International Conference on Emerging Trends in Networks and Computer Communications (ETNCC).

[6]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[7]  Xuxian Jiang,et al.  Profiling self-propagating worms via behavioral footprinting , 2006, WORM '06.

[8]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[9]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[10]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[11]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[12]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[13]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[14]  Hassan Artail,et al.  A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks , 2006, Comput. Secur..

[15]  Brian Hay,et al.  A methodology for intelligent honeypot deployment and active engagement of attackers , 2012 .

[16]  Jian Li,et al.  Unknown Malware Detection Based on the Full Virtualization and SVM , 2009, 2009 International Conference on Management of e-Commerce and e-Government.

[17]  W. Timothy Strayer,et al.  SLINGbot: A System for Live Investigation of Next Generation Botnets , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[18]  Hassan Artail,et al.  A dynamic honeypot design for intrusion detection , 2004, The IEEE/ACS International Conference onPervasive Services, 2004. ICPS 2004. Proceedings..

[19]  Chengyu Song,et al.  Collecting Autonomous Spreading Malware Using High-Interaction Honeypots , 2007, ICICS.

[20]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[21]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .