PeerViewer:Behavioral Tracking and Classification of P2P Malware
To keep pace with the rampant malware threat, security an alysts operate tools that collect and observe malicious content on the internet.Since malware is robust against static analysis, dynamic en vironments are being used for this purpose.They use automated plat forms that execute malware and acquire knowledge about its runtime behavior.Today, malware analysis platforms are powerful in character izing the system behavior of malware.However, little research is being done to automatically charaterize malicious code according to its net work communication protocols.Yet this is becoming a real challenge as modern botnets increasingly adopte hybrid topologies that use custom P2P protocols for command and control.This paper presents PeerViewer, a system that automatically classifies malware according to its network P2P behavior.Nowadays P2P malware either uses variants of known P2P protocols, or it builds its custom P2P protocols as for Sality and zeroAccess.PeerViewer builds classifiers for known P2P malware families.Then it builds a network footprint for malicious code running in a sandbox, and compares this footprint with those for known P2P malware families.It associates malicious code with a known botnet family where possible, or it notifies the security analysts of a new or unknown P2P malware family, so it can be considered for a deeper analysis.Our experimental results prove the ability of PeerViewer to accurately classify P2P malware, with a very low false positives rate.
Nizar Kheir Xiao Han
Orange Labs,Paris
国际会议
The 5th International Symposium on Cyberspace Safety and Security ( CSS2013)(第五届国际网络空间安全和安保研讨会)
张家界
英文
282-298
2013-11-13(万方平台首次上网日期,不代表论文的发表时间)