Skip to main content
SpringerLink
Log in
SpringerLink
Log in

NetGator: Malware Detection Using Program Interactive Challenges

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7591))

Abstract

Internet-borne threats have evolved from easy to detect denial of service attacks to zero-day exploits used for targeted exfiltration of data. Current intrusion detection systems cannot always keep-up with zero-day attacks and it is often the case that valuable data have already been communicated to an external party over an encrypted or plain text connection before the intrusion is detected.

In this paper, we present a scalable approach called Network Interrogator (NetGator) to detect network-based malware that attempts to exfiltrate data over open ports and protocols. NetGator operates as a transparent proxy using protocol analysis to first identify the declared client application using known network flow signatures.Then we craft packets that “challenge” the application by exercising functionality present in legitimate applications but too complex or intricate to be present in malware. When the application is unable to correctly solve and respond to the challenge, NetGator flags the flow as potential malware. Our approach is seamless and requires no interaction from the user and no changes on the commodity application software. NetGator introduces a minimal traffic latency (0.35 seconds on average) to normal network communication while it can expose a wide-range of existing malware threats.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anti-Phishing Working Group, ADWG 2011 Trends Report, http://apwg.org/reports/apwg_trends_report_h1_2011.pdf

  2. Greasyspoon, http://greasyspoon.sourceforge.net/

  3. Javascript encryption, http://javascript.about.com/library/blencrypt.html

  4. Planetlab, http://planet-lab.org/

  5. Squid, http://www.squid-cache.org/

  6. Tcpflow, http://afflib.org/software/tcpflow

  7. Wireshark, http://www.wireshark.org/

  8. Androulidakis, G., Chatzigiannakis, V., Papavassiliou, S.: Network anomaly detection and classification via opportunistic sampling. IEEE Network 23(1), 6–12 (2009)

    Article  Google Scholar 

  9. AsSadhan, B., Moura, J., Lapsley, D., Jones, C., Strayer, W.: Detecting Botnets Using Command and Control Traffic. In: Proceedings of the 2009 Eighth IEEE International Symposium on Network Computing and Applications, pp. 156–162. IEEE Computer Society (2009)

    Google Scholar 

  10. Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pp. 299–304. IEEE Computer Society (2009)

    Google Scholar 

  11. Cyveillance. Malware detection rates for leading av solutions (2010), http://www.cyveillance.com/web/docs/WP_MalwareDetectionRates.pdf

  12. Eckersley, P.: How Unique Is Your Web Browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security 28(1-2), 18–28 (2009)

    Article  Google Scholar 

  14. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154. USENIX Association (2008)

    Google Scholar 

  15. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: SS 2007: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 1–16. USENIX Association, Berkeley (2007)

    Google Scholar 

  16. Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Computer Security Applications Conference, ACSAC (2009)

    Google Scholar 

  17. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008. Citeseer (2008)

    Google Scholar 

  18. Inoue, D., Yoshioka, K., Eto, M., Hoshizawa, Y., Nakao, K.: Malware Behavior Analysis in Isolated Miniature Network for Revealing Malware’s Network Activity. In: IEEE International Conference on Communications, ICC 2008, pp. 1715–1721. IEEE (2008)

    Google Scholar 

  19. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 7. USENIX Association (2007)

    Google Scholar 

  20. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through conectect-aware monitored execution. In: 15th Symposium on Network and Distributed System Security, NDSS (2008)

    Google Scholar 

  21. Lyon, G.: Nmap security scanner (2010)

    Google Scholar 

  22. McKinley, K.: Cleaning Up After Cookies (2008)

    Google Scholar 

  23. Microsoft Developer Network: How to: Detect browser types and browser capabilities in asp.net web pages (2010)

    Google Scholar 

  24. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 26. USENIX Association (2010)

    Google Scholar 

  25. Polychronakis, M., Anagnostakis, K., Markatos, E.: Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology 2, 257–274 (2007) 10.1007/s11416-006-0031-z

    Article  Google Scholar 

  26. Schools, W.: Javascript browser detection (2010), http://www.w3schools.com/js/js_browser.asp

  27. Shon, T., Moon, J.: A hybrid machine learning approach to network anomaly detection. Information Sciences 177(18), 3799–3821 (2007)

    Article  Google Scholar 

  28. Thorat, S., Khandelwal, A., Bruhadeshwar, B., Kishore, K.: Payload content based network anomaly detection. In: First International Conference on the Applications of Digital Information and Web Technologies, ICADIWT 2008, pp. 127–132 (August 2008)

    Google Scholar 

  29. Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: 15th Symposium on Network and Distributed System Security, NDSS (2008)

    Google Scholar 

  30. Yen, T.-F., Huang, X., Monrose, F., Reiter, M.K.: Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 157–175. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The Center for Secure Information Systems, George Mason University, 4400 University Drive, Fairfax, 22030, USA

    Brian Schulte, Haris Andrianakis, Kun Sun & Angelos Stavrou

Authors
  1. Brian Schulte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haris Andrianakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department C, HFT Stuttgart, Schellingstr. 24, 70174, Stuttgart, Germany

    Ulrich Flegel

  2. Department of Computer Science, Foundation for Research and Technology – Hellas (FORTH), 100 Plastira Ave, Vassilika Vouton, 70013, Heraklion, Crete, Greece

    Evangelos Markatos

  3. College of Computer and Information Science, Northeastern University, 360 Huntington Ave, 02115, Boston, MA, USA

    William Robertson

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Schulte, B., Andrianakis, H., Sun, K., Stavrou, A. (2013). NetGator: Malware Detection Using Program Interactive Challenges. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37300-8_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37299-5

  • Online ISBN: 978-3-642-37300-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation