Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring

Nakao, Koji; Inoue, Daisuke; Eto, Masashi; Yoshioka, Katsunari

doi:10.1587/transinf.e92.d.787

Cited by 31 publications

(18 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The darknet is being used for studying and developing the countermeasures against malicious activities on the Internet [17][18][19][20][21][22][23][24][25][26][27]. For example, Bailey et al introduced the Internet Motion Sensor (IMS), a globally-scoped Internet monitoring system.…”

Section: Related Workmentioning

confidence: 99%

“…By using the network telescope, in that little or no legitimate traffic exists, they examined its utility and effects for measuring both pandemic incidents (the spread of an Internet worm) and endemic incidents (denial-of-service attacks) on the Internet. Nakao et al introduced a network incident analysis center for tactical emergency response (nicter), which is monitoring around 300,000 unused IP addresses mainly located in Japan [17][18][19]. The main objective of the nicter is to carry out correlation analysis between the network threats observed in the darknet and malware executables captured in the various types of honeypots.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

et al. 2017

View full text Add to dashboard Cite

Abstract:The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet. Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet ('the darknet traffic') do not contain a payload. This means that we are unable to get real malware from the darknet traffic. This situation makes it difficult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet traffic are infected by real malware or not. In this paper, we present the overall procedure of the in-depth analysis between the darknet traffic and IDS alerts using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results. The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts so that they are able to identify and trace the root cause of the darknet traffic. The experimental results show that correlation analysis between the darknet traffic and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to find out what kinds of malware infected them.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

et al. 2017

View full text Add to dashboard Cite

show abstract

“…The NICTER Darknet Dataset is a set of packet traces collected from April 1, 2011 using the darknet monitoring system, NICTER [40]. The NICTER covers approximately 240 K unused IP addresses.…”

Section: Nicter Darknet Datasetmentioning

confidence: 99%

“…In phase 2) infection, the historic DARPA Intrusion Detection Data Sets [49] from 1998 to 2000 were released training data and testing data for IDS evaluation with packet traces, audit data, and file system dumps. The hpfriends social data-sharing platform [40] of the Honeynet Project shares the distributed honeypots operated by each contributor. The Contagio [50] shares malware samples relating to APT attacks and their packet traces captured during dynamic analysis.…”

Section: Related Workmentioning

confidence: 99%

Empowering Anti-malware Research in Japan by Sharing the MWS Datasets

Hatada

Akiyama²,

Kasama

2015

Journal of Information Processing

View full text Add to dashboard Cite

Substantial research has been conducted to develop proactive and reactive countermeasures against malware threats. Gathering and analyzing data are widely accepted approaches for accelerating the research towards understanding malware threats. However, collecting useful data is not an easy task for individuals or new researchers owing to several technical barriers, such as conducting honeypot operations securely. The anti-Malware engineering WorkShop (MWS) was organized in 2008 to fill this gap; since then, we have shared datasets that are useful for accelerating the data-driven anti-malware research in Japan. This paper provides the definitive collection of the MWS Datasets that are a collection of different datasets for use in anti-malware research. We also report the effectiveness of the MWS Datasets from the viewpoint of published research papers and how to empower some of the papers by using the MWS Datasets. Furthermore, our discussion about issues of the MWS Datasets reveal the future directions for accelerating anti-malware research from the perspectives of dataset collection activity and dataset use activity.

show abstract

“…However, considering the close relationships between global phenomena observed from the macroscopic approach and their root causes analyzed in the microscopic approach, a hybrid approach for such analysis is essential. To this end we have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter) [19]- [21], which incorporates both approaches. The nicter integrates results obtained from both macroscopic and microscopic analysis to obtain useful and practical insight on malware activity.…”

Section: Introductionmentioning

confidence: 99%

A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads

Nakazato

Song

Eto

et al. 2011

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

SUMMARYWith the rapid development and proliferation of the Internet, cyber attacks are increasingly and continually emerging and evolving nowadays. Malware -a generic term for computer viruses, worms, trojan horses, spywares, adwares, and bots -is a particularly lethal security threat. To cope with this security threat appropriately, we need to identify the malwares' tendency/characteristic and analyze the malwares' behaviors including their classification. In the previous works of classification technologies, the malwares have been classified by using data from dynamic analysis or code analysis. However, the works have not been succeeded to obtain efficient classification with high accuracy. In this paper, we propose a new classification method to cluster malware more effectively and more accurately. We firstly perform dynamic analysis to automatically obtain the execution traces of malwares. Then, we classify malwares into some clusters using their characteristics of the behavior that are derived from Windows API calls in parallel threads. We evaluated our classification method using 2, 312 malware samples with different hash values. The samples classified into 1, 221 groups by the result of three types of antivirus softwares were classified into 93 clusters. 90% of the samples used in the experiment were classified into 20 clusters at most. Moreover, it ensured that 39 malware samples had characteristics different from other samples, suggesting that these may be new types of malware. The kinds of Windows API calls confirmed the samples classified into the same cluster had the same characteristics. We made clear that antivirus softwares named different name to malwares that have same behavior. key words: malware analysis, behavior of malware, clustering

show abstract

Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring

Cited by 31 publications

References 8 publications

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

Empowering Anti-malware Research in Japan by Sharing the MWS Datasets

A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads

Contact Info

Product

Resources

About