On the Reliability of Network Measurement Techniques Used for Malware Traffic Analysis

  • Joseph Gardiner
  • Shishir NagarajaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8809)


Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.


Uniform Sampling Proportional Fairness Flow Size Flooding Attack Traffic Trace 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
  2. 2.
    The CAIDA UCSD Anonymized Internet Traces 2012. Accessed 20 March 2013
  3. 3.
    Cantieni, G.R., Iannaccone, G., Barakat, C., Diot, C., Thiran, P.: Reformulating the monitor placement problem: Optimal network-wide sampling. In: Proceedings of the 2006 ACM CoNEXT Conference, CoNEXT ’06, pp. 5:1–5:12. ACM, New York (2006)Google Scholar
  4. 4.
    Cisco Systems Inc., Cisco IOS Netflow.
  5. 5.
    Cohen, E., Duffield, N.G., Kaplan, H., Lund, C., Thorup, M.: Stream sampling for variance-optimal estimation of subset sums. In: Mathieu, C. (ed.) Proceedings of ACM-SIAM Symposium on Discrete Algorithms, pp. 1255–1264. SIAM (2009)Google Scholar
  6. 6.
    Cranor, C., Johnson, T., Spataschek, O., Shkapenyuk, V.: Gigascope: a stream database for network applications. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, SIGMOD ’03, pp. 647–651. ACM, New York (2003)Google Scholar
  7. 7.
    Duffield, N., Lund, C., Thorup, M.: Learn more, sample less: control of volume and variance in network measurement. IEEE Trans. Inf. Theory 51(5), 1756–1775 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Estan, C., Varghese, G.: New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice. ACM Trans. Comput. Syst. 21(3), 270–313 (2003)CrossRefGoogle Scholar
  9. 9.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pp. 375–388. ACM, New York (2007)Google Scholar
  10. 10.
    Horvitz, D.G., Thompson, D.J.: A generalization of sampling without replacement from a finite universe. J. Am. Stat. Assoc. 47(260), 663–685 (1952)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Hutchins, E.M., Clopperty, M.J., Amin, R.M.: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Technical report, Lockheed Martin Corporation, 2010.
  12. 12.
    Krebs, B.: Security Firm Bit9 Hacked, Used to Spread Malware. Krebs on Security, 13 Feb 2013.
  13. 13.
    Mandiant. APT1: Exposing One of Chinas Cyber Espionage Units. Technical report, 2013.
  14. 14.
    Nagaraja, S., Anderson, R.: The snooping dragon: social-malware surveillance of the tibetan movement. Technical Report UCAM-CL-TR-746, University of Cambridge, (2009)Google Scholar
  15. 15.
    Nakashima, E.: Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies. The Washington Post, 27 May 2013.
  16. 16.
    Perlroth, N.: Hackers in China Attacked The Times for Last 4 Months. The New York Times, 30 January 2013.
  17. 17.
    Polychronakis, M., Mavrommatis, P., Provos, N.:. Ghost turns zombie: Exploring the life cycle of web-based malware. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET’08, pp. 11:1–11:8. USENIX Association, Berkeley (2008)Google Scholar
  18. 18.
    Provos, N., Rajab, M.A., Mavrommatis, P.: Cybercrime 2.0: When the cloud turns dark. Commun. ACM 52(4), 42–47 (2009)CrossRefGoogle Scholar
  19. 19.
    Sekar, V., Reiter, M.K., Willinger, W., Zhang, H., Kompella, R.R., Andersen, D.G.: Csamp: a system for network-wide flow monitoring. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI’08, pp. 233–246. USENIX Association, Berkeley (2008)Google Scholar
  20. 20.
    TrendLabs APT Research Team. Spear-Phishing Email: Most Favored APT Attack Bait. Technical report, Trend Micro Incorporated, 2012.
  21. 21.
    Yu, M., Jose, L., Miao, R.: Software defined traffic measurement with opensketch. In: Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation, NSDI’13, pp. 29–42. USENIX Association, Berkeley (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.University of BirminghamBirminghamUK

Personalised recommendations