Capture – A behavioral analysis tool for applications and documents

Seifert, Christian; Steenson, Ramon; Welch, Ian; Komisarczuk, Peter; Endicott-Popovsky, Barbara

doi:10.1016/j.diin.2007.06.003

Cited by 39 publications

(19 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…1. Capture-HPC honeyclient architecture [8,22] Developments to scale the honeyclient system have been trialed using Grid computing which encapsulated the system for the Grid using the gRAVI toolkit [36] and using workflow engines to control Grid execution [28]. The use of workflow engines proved less effective than hoped at scaling honeyclient infrastructure.…”

Section: Review Of Developments In Active and Passive Sensorsmentioning

confidence: 99%

“…that captures API calls, shown in Figure 1. The honeyclient system developed incorporates a server component (Capture-HPC) [8] and a Microsoft Windows behavioural analysis tool (Capture-BAT), running in a Virtual Machine environment controlled from the coordinating server. The latest developments have been to provide network API monitoring and extensions to the capture server to incorporate a database and checkpoints to optimize operations [35] and has been used in a variety of studies, including a long term scan of the .nz domain.…”

Section: Review Of Developments In Active and Passive Sensorsmentioning

confidence: 99%

“…For example, a keylogger program installed without the users permission in order to gather user name and password data. To discover these exploits instruments called honeyclients [8,9,10,11,12] have been developed of which there are two main classifications. A high-interaction honeyclient [8] is an instrument consisting of a complete operating system running a web browser where we classify a web server as either malicious or benign based on changes observed to the state of the operating system after visiting the web site.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Internet Sensor Grid: Experiences with Passive and Active Instruments

Komisarczuk

Welch

2010

Communications: Wireless in Developing Countries and Networks of the Future

Self Cite

View full text Add to dashboard Cite

Abstract. The Internet is constantly evolving with new emergent behaviours arising; some of them malicious. This paper discusses opportunities and research direction in an Internet sensor grid for malicious behaviour detection, analysis and countermeasures. We use two example sensors as a basis; firstly the honeyclient for malicious server and content identification (i.e. drive-bydownloads, the most prevalent attack vector for client systems) and secondly the network telescope for Internet Background Radiation detection (IBRwhich is classified as unsolicited, non-productive traffic that traverses the Internet, often malicious in nature or origin). Large amounts of security data can be collected from such sensors for analysis and federating honeyclient and telescope data provides a worldwide picture of attacks that could enable the provision of countermeasures. In this paper we outline some experiences with these sensors and analyzing network telescope data through Grid computing as part of an "intelligence layer" within the Internet.

show abstract

Section: Review Of Developments In Active and Passive Sensorsmentioning

confidence: 99%

Section: Review Of Developments In Active and Passive Sensorsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Internet Sensor Grid: Experiences with Passive and Active Instruments

Komisarczuk

Welch

2010

Communications: Wireless in Developing Countries and Networks of the Future

Self Cite

View full text Add to dashboard Cite

show abstract

“…Norman Sandbox [18] uses a simulated operating system compatible with Windows for executing malware. Instead of a virtual or emulated machine, a real machine is used for malware execution in Capture [19] and Joebox [20]. Though a real machine takes a long time to refresh its infected OS, it is resistant to the detection of virtual or emulated machines by sophisticated malwares.…”

Section: Related Workmentioning

confidence: 99%

Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities

Inoue

Yoshioka

Eto

et al. 2009

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYMalware has been recognized as one of the major security threats in the Internet. Previous researches have mainly focused on malware's internal activity in a system. However, it is crucial that the malware analysis extracts a malware's external activity toward the network to correlate with a security incident. We propose a novel way to analyze malware: focus closely on the malware's external (i.e., network) activity. A malware sample is executed on a sandbox that consists of a real machine as victim and a virtual Internet environment. Since this sandbox environment is totally isolated from the real Internet, the execution of the sample causes no further unwanted propagation. The sandbox is configurable so as to extract specific activity of malware, such as scan behaviors. We implement a fully automated malware analysis system with the sandbox, which enables us to carry out the large-scale malware analysis. We present concrete analysis results that are gained by using the proposed system.

show abstract

“…However, it does not focus on the network activities of malware and does not contain the second victim so that vulnerability exploitation to other host can not be observed. Instead of using a virtual or emulated machine, a real machine is used for malware execution in Capture [12] and Joebox [16]. These two tools mainly focus on extracting internal behaviour of malware and do not discuss how to securely observe malware's network activities.…”

Section: Related Workmentioning

confidence: 99%

Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation

Yoshioka

Inoue

Eto

et al. 2009

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYExploiting vulnerabilities of remote systems is one of the fundamental behaviors of malware that determines their potential hazards. Understanding what kind of propagation tactics each malware uses is essential in incident response because such information directly links with countermeasures such as writing a signature for IDS. Although recently malware sandbox analysis has been studied intensively, little work is done on securely observing the vulnerability exploitation by malware. In this paper, we propose a novel sandbox analysis method for securely observing malware's vulnerability exploitation in a totally isolated environment. In our sandbox, we prepare two victim hosts. We first execute the sample malware on one of these hosts and then let it attack the other host which is running multiple vulnerable services. As a simple realization of the proposed method, we have implemented a sandbox using Nepenthes, a lowinteraction honeypot, as the second victim. Because Nepenthes can emulate a variety of vulnerable services, we can efficiently observe the propagation of sample malware. In the experiments, among 382 samples whose scan capabilities are confirmed, 381 samples successfully started exploiting vulnerabilities of the second victim. This indicates the certain level of feasibility of the proposed method. key words: malware sandbox analysis, exploit code detection, lowinteraction honeypot

show abstract

Capture – A behavioral analysis tool for applications and documents

Cited by 39 publications

References 1 publication

Internet Sensor Grid: Experiences with Passive and Active Instruments

Internet Sensor Grid: Experiences with Passive and Active Instruments

Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities

Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation

Contact Info

Product

Resources

About