Nav: Home

Network traffic provides early indication of malware infection

May 21, 2017

By analyzing network traffic going to suspicious domains, security administrators could detect malware infections weeks or even months before they're able to capture a sample of the invading malware, a new study suggests. The findings point toward the need for new malware-independent detection strategies that will give network defenders the ability to identify network security breaches in a more timely manner.

The strategy would take advantage of the fact that malware invaders need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study's researchers say.

"Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. "These findings show that we need to fundamentally change the way we think about network defense."

Traditional defenses depend on the detection of malware in a network. While analyzing malware samples can identify suspicious domains and help attribute network attacks to their sources, relying on samples to drive defensive actions gives malicious actors a critical time advantage to gather information and cause damage. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis added.

The research, which will be presented May 24 at the 38th IEEE Security and Privacy Symposium in San Jose, California, was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency. The project was done in collaboration with EURECOM in France and the IMDEA Software Institute in Spain - whose work was supported by the regional government of Madrid and the government of Spain.

In the study, Antonakakis, Graduate Research Assistant Chaz Lever and colleagues analyzed more than five billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). They also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains - which often provide the launch sites for malware attacks.

"There were certain networks that were more prone to abuse, so looking for traffic into those hot spot networks was potentially a good indicator of abuse underway," said Lever, the first author of the paper and a student in Georgia Tech's School of Electrical and Computer Engineering. "If you see a lot of DNS requests pointing to hot spots of abuse, that should raise concerns about potential infections."

The researchers also found that requests for dynamic DNS also related to bad activity, as these often correlate with services used by bad actors because they provide free domain registrations and the ability to add quickly add domains.

The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks. But Lever found there was often a lag of months between when expired domains were re-registered and attacks from them began.

The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data. The researchers also conducted what they believe is the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs). To study similarities, they assigned the malware to specific "families."

By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found. Relating that to human health, Antonakakis compares the network signals to the fever or general feeling of malaise that often precedes identification of the microorganism responsible for an infection.

"You know you are sick when you have a fever, before you know exactly what's causing it," he said. "The first thing the adversary does is set up a presence on the internet, and that first signal can indicate an infection. We should try to observe that symptom first on the network because if we wait to see the malware sample, we are almost certainly allowing a major infection to develop."

In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed.

But as with human health, detecting a change indicating infection requires knowledge of the baseline activity, he said. Network administrators must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, malware must always communicate back to those who sent it.

"If you have the ability to detect traffic in a network, regardless of how the malware may have gotten in, the action of communicating through the network will be observable," Antonakais said. "Network administrators should minimize the unknowns in their networks and classify their appropriate communications as much as possible so they can see the bad activity when it happens."

Antonakakis and Lever hope their study will lead to development of new strategies for defending computer networks.

"The choke point is the network traffic, and that's where this battle should be fought," said Antonakakis. "This study provides a fundamental observation of how the next generation of defense mechanisms should be designed. As more complicated attacks come into being, we will have to become smarter at detecting them earlier."
-end-
In addition to those already mentioned, the study included Davide Balzarotti from EURECOM, and Platon Kotzias and Juan Cabellero from IMDEA Software Institute.

This material is based upon work supported in part by the U.S. Department of Commerce grant 2106DEK, National Science Foundation (NSF) grant 2106DGX and Air Force Research Laboratory/Defense Advanced Research Projects Agency grant 2106DTX. This research was also partially supported by the Regional Government of Madrid through the N-GREENS Software-CM S2013/ICE-2731 project and by the Spanish Government through the DEDETIS grant TIN2015-7013-R. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Department of Commerce, National Science Foundation, Air Force Research Laboratory, or Defense Advanced Research Projects Agency.

CITATION: Chaz Lever, et al., "A Lustrum of Malware Network Communication: Evolution and Insights," (38th IEEE Security and Privacy Symposium, 2017).

Georgia Institute of Technology

Related Infection Articles:

Is infection after surgery associated with increased long-term risk of infection, death?
Whether experiencing an infection within the first 30 days after surgery is associated with an increased risk of another infection and death within one year was the focus of this observational study that included about 660,000 veterans who underwent major surgery.
Revealed: How E. coli knows how to cause the worst possible infection
The discovery could one day let doctors prevent the infection by allowing E. coli to pass harmlessly through the body.
UK study shows most patients with suspected urinary tract infection and treated with antibiotics actually lack evidence of this infection
New research presented at this week's European Congress of Clinical Microbiology & Infectious Diseases (ECCMID) in Amsterdam, Netherlands (April 13-16, 2019) shows that only one third of patients that enter the emergency department with suspected urinary tract infection (UTI) actually have evidence of this infection, yet almost all are treated with antibiotics, unnecessarily driving the emergence of antimicrobial resistance.
Bacteria in urine doesn't always indicate infection
Doctors should think carefully before testing patients for a urinary tract infection (UTI) to avoid over-diagnosis and unnecessary antibiotic treatment, according to updated asymptomatic bacteriuria (ASB) guidelines released by the Infectious Diseases Society of America (IDSA) and published in Clinical Infectious Diseases.
Subsidies for infection control to healthcare institutions help reduce infection levels
Researchers compared three types of infection control subsidies and found that under a limited budget, a dollar-for-dollar matching subsidy, in which policymakers match hospital spending for infection control measures, was the most effective at reducing the number of hospital-acquired infections.
Dengue virus infection may cause severe outcomes following Zika virus infection during pregnancy
This study is the first to report a possible mechanism for the enhancement of Zika virus progression during pregnancy in an animal model.
How common is Hepatitis C infection in each US state?
Hepatitis C virus infection is a major cause of illness and death in the United States and injection drug use is likely fueling many new cases.
The medicine of the future against infection and inflammation?
Researchers at Lund University in Sweden, have in collaboration with colleagues in Copenhagen and Singapore, mapped how the body's own peptides act to reduce infection and inflammation by deactivating the toxic substances formed in the process.
Releasing our inner jellyfish in the fight against infection
How mucus genes dating back to our time as a jellyfish could be key in our quest for new antibiotics.
Pneumococcal DNA predicts course of infection
Besides the patient's condition, pneumococcal DNA also appears to provide information about the course of an infection.
More Infection News and Infection Current Events

Top Science Podcasts

We have hand picked the top science podcasts of 2019.
Now Playing: TED Radio Hour

In & Out Of Love
We think of love as a mysterious, unknowable force. Something that happens to us. But what if we could control it? This hour, TED speakers on whether we can decide to fall in — and out of — love. Guests include writer Mandy Len Catron, biological anthropologist Helen Fisher, musician Dessa, One Love CEO Katie Hood, and psychologist Guy Winch.
Now Playing: Science for the People

#543 Give a Nerd a Gift
Yup, you guessed it... it's Science for the People's annual holiday episode that helps you figure out what sciency books and gifts to get that special nerd on your list. Or maybe you're looking to build up your reading list for the holiday break and a geeky Christmas sweater to wear to an upcoming party. Returning are pop-science power-readers John Dupuis and Joanne Manaster to dish on the best science books they read this past year. And Rachelle Saunders and Bethany Brookshire squee in delight over some truly delightful science-themed non-book objects for those whose bookshelves are already full. Since...
Now Playing: Radiolab

An Announcement from Radiolab