Ride the Lightning

Network Traffic Analysis May Detect Malware Sooner

May 31, 2017

Perhaps we've been going about malware detection the wrong way. At least that is the conclusion of a new study from the Georgia Institute of Technology.

By analyzing network traffic going to suspicious domains, security administrators could detect malware infections weeks or even months before they're able to capture a sample of the invading malware. The findings point toward the need for new malware-independent detection strategies that will give network defenders the ability to identify network security breaches faster.

Malware invaders generally need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study's researchers say.

"Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. "These findings show that we need to fundamentally change the way we think about network defense."

Traditional defenses depend on the detection of malware in a network. While analyzing malware samples can identify suspicious domains and help attribute network attacks to their sources, relying on samples to drive defensive actions gives malicious actors a critical time advantage to gather information and cause damage. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis noted.

The research, presented May 24th at the 38th IEEE Security and Privacy Symposium in San Jose, California, was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency. The project was done in collaboration with EURECOM in France and the IMDEA Software Institute in Spain – whose work was supported by the regional government of Madrid and the government of Spain.

The study analyzed more than five billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). The researchers also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains – which often provide the launch sites for malware attacks.

Because certain networks are more prone to abuse, looking for traffic into those hot spot networks was potentially a good indicator of an infection. The researchers also found that requests for dynamic DNS often related to bad activity, as these frequently correlate with services used by hackers because they provide free domain registrations and the ability to add quickly add domains.

The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks. But they found there was often a lag of months between when expired domains were re-registered and when attacks from them began.

The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data. The researchers also conducted what they believe is the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs). To study similarities, they assigned the malware to specific "families." By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found.

In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed. Obviously, network administrators must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, malware must always communicate back to those who sent it.

The study may well lead to development of new defense strategies, where we stop looking for malware and instead analyze network traffic. Very likely this will be the next generation of cyber defense.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson