MARS: uma arquitetura para análise de malwares utilizando SDN

João Ceron; Cíntia Margi; Lisandro Granville

doi:10.5753/sbrc_estendido.2018.14178

João Ceron USP
Cíntia Margi UFRGS
Lisandro Granville UFRGS

DOI: https://doi.org/10.5753/sbrc_estendido.2018.14178

Abstract

To investigate characteristics from malicious code are essential to improve security systems. However, modern malwares require specific conditions to activate their actions in the target system. This thesis presents an specialized architecture to analyze malware by managing the analysis environment in a centralized way, including to control the sandbox and the elements that surrounds it. The proposed architecture enables to determine the network access policy, to handle the analysis environment resource configuration, and to manipulate the network connections performed by the malware. The experimental results showed that our solution can reveals unseen behaviors that are observerd in tradicional analysis solutions.

References

Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.

Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security, pages 51–62. ACM.

Graziano, M., Leita, C., and Balzarotti, D. (2012). Towards network containment in malware analysis systems. In 28th Annual Computer Security Applications Conference, ACSAC 2012, Orlando, FL, USA, 3-7 December 2012, pages 339–348. ACM.

Holz, T. and Raynal, F. (2005). Detecting honeypots and other suspicious environments. In Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth Annual IEEE SMC, pages 29–36, West Point, New York, USA. IEEE.

Kirat, D., Vigna, G., and Kruegel, C. (2014). Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC’14). USENIX Association, Berkeley, CA, USA, pages 287–301. USENIX.

Kreibich, C., Weaver, N., Kanich, C., Cui, W., and Paxson, V. (2011). Gq: Practical containment for measuring modern malware systems. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, pages 397–412. ACM, ACM.

Kruegel, C., Kirda, E., and Bayer, U. (2006). TTanalyze: A tool for analyzing malware. In Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, volume 4, Vienna, Austria. EICAR.

Laurianne, M. (2004). Bot software spreads, causes new worries.

McLaughlin, L. (2004). Bot software spreads, causes new worries. Distributed Systems Online, IEEE, 5(6):1.

Moser, A., Kruegel, C., and Kirda, E. (2007). Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 231–245. IEEE, IEEE Computer Society.

Norman (2003). Norman sandbox technical repor. Technical report, Technical report, New York, USA.

Oktavianto, D. and Muhardianto, I. (2013). Cuckoo Malware Analysis. Packt Publishing Ltd, New York, USA.

Pa, Y. M. P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., and Rossow, C. (2015). Iotpot: Analysing the rise of iot compromises. EMU, 9:1.

Virvilis, N. and Gritzalis, D. (2013). The big four-what we did wrong in advanced persistent threat detection? In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, pages 248–254, Regensburg, Germany, September. IEEE, IEEE Computer Society.