Detecting the Behavioral Relationships of Malware Connections

(positional paper)

Sebastian Garcia & Michal Pechoucek

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Live: bit.ly/praise2016

• Privacy and surveillance. The MasterMind program. 

  • We should know how to deal with this, and use it.

• Behavior of malware, how to detect it.

The origin

The Problem

• False positives: You detect malicious when is not.

  • Detection of what?

    • Packets?

    • Flows?

    • Web logs?

    • Unique computers?

• Differentiating normal from malicious

  • ​We may detect malicious alone. But when it is mixed with normal, it's far more difficult.

Stratosphere IPS Project

• Model network behaviors as a string of letters.

• 1 flow        3 features         1 letter

• 1 connection (srcIP, dstIP, dstPort, Proto)      String

The Problem of Stratosphere

• Usually working, but some behaviors are very similar.

• Normal Radio Streaming

  • 88,h,h,h,h,h,h,H,H,h,h,h,h,H,H,h,H,H,h,H,h,H,H,H,h,

• Botnet C&C server 23.247.5.27 port 25000/tcp

  • 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H

https://stratosphereips.org

A better differentiation

• We are looking too closely.

• Analyze the behavior of the Host, instead of a connection.

A New type of Graph

• A graph to show the relationships of flow sequences.

• Made by Daniel Šmolík, from the Stratosphere team.

  • A graph per client (source IP).

  • A node is the combination of dst IP, dst port, protocol.

  • An edge is a flow sequence as seen in the network.

• The more times the edge is found, the thicker.

• The more times the node is repeated, the larger.

• The more times the node looped, the color changes.

Normal Graph

• 1 client

Normal Graph

• Same 1 client, not DNS servers.

Geodo Botnet complete graph

Geodo Botnet filtered graph

• No DNS, icmp, ipv6, arp or multicast.

Mixed Normal and Adware

• Before Infection. No DNS

Mixed Normal and Adware

• After Infection. No DNS

Mixed Normal and Adware

• After Infection. No DNS

Analyzing the Behavior of a Host

• Now

  • Amount of times a [dst ip, dst port and protocol] is accessed (node).

  • Amount of times a node comes after other node in sequence (edge). 

  • Amount of times a node loops with itself.

• Work in progress

  • Loops

    • Find loops in the graph structure.

    • Complex loops, double loops (Geodo).

  • Type of nodes.

  • Type of nodes connecting to each node (relation).

  • Stratosphere Behaviors

Conclusion and Thanks!

• The behavior of a host may be modeled looking at its actions, relationships and loops.

  • These are the differentiable features of malware.

• More experiments, evaluation and comparison. 

Thank you for staying! And thanks Daniel Smolík for his work.

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote