Study of malware traffic properties

The threats posed to the Internet have seen an incredible diversification in recent years, with the rise of spam, botnets, worms, distributed denial of service attacks, and other network-enabled threats. As new network applications and services continuously arise and new categories of users appear on the Net, new kinds of attacks emerge too. Attacking techniques become faster and more sophisticated, damaging not only typical targets as the computers at the edge of the network, but also affecting the transport network and intermediate nodes. Traditional prevention and detection methodologies often are inadequate. We need to understand more deeply the impact on network links and nodes of the activity of malicious software – malware.  Because much malware relies on the connectivity and other properties of networks, studying malware at the network level is a promising direction for countering this threat. While in the past years several insights on statistical properties of aggregate and specific application traffic (Web, network games, file transfers, multimedia, ..) have been gained, only recently, there have been many research efforts to better understand the properties of malware network traffic and to apply that understanding to make the Internet more secure, reliable, and robust. Indeed, it has been demonstrated that understanding the statistical properties of traffic at different levels (aggregate, flows, sessions, packets) can bring effective results. In [46] an active approach to understand some properties of all network unsolicited traffic is adopted. In [47] and [48], other kinds of anomalous events have been studied: Distributed Denial of Service and Flashcrowds. The multi-resolution analysis of their traffic shows that flash-crowds and DDoS have different properties in terms of marginal distributions and of covariance. They show that the properties found can affect link QoS, and apply the analysis results for detection purposes.
INTERSECTION partners have a strong expertise in the field of malware traffic study and analysis, with specific regard to computer worms traffic. In the context of the INTERSECTION project, we plan to study malware at the network level. A deep investigation of properties of unwanted traffic will allow to better understand the impact on network nodes and links, while the analysis of statistical traffic properties could reveal new metrics useful to build novel anomaly detection techniques.
Also, techniques to collect, isolate, and study malware traffic will be investigated (e.g. honeypots, honeynets, network telescopes, etc.) and specific tools to properly analyze traffic properties will be developed.

References

[46] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, L. Peterson, “Characteristics of Internet Background Radiation”, ACM IMC, October 2004

[47] A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, P. Abry, “Non Gaussian and long memory statistical characterization of Internet traffic with anomalies”, submitted to IEEE Trans. on Dependable and Secure Computing

[48] P. Owezarski, “On the impact of DoS attacks on Internet traffic characteristics and QoS”, ICCCN 2005, 17-19 October 2005

Back to Project Detail