Detecting and identifying malware: a new signal processing goal

Mitra, Urbashi; Ortega, Antonio; Heidemann, John; Papadopoulos, Christos

doi:10.1109/msp.2006.1708419

Cited by 13 publications

(11 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, most prior work looks at high frequency behavior; we instead consider events which occur at very low frequencies (sub1Hz) and use long observation windows (hours to days) to see such events. Our work is a specific example of applying signal processing to network traffic [13].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Low-rate, flow-level periodicity detection

Bartlett¹,

Heidemann²,

Papadopoulos

2011

2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

View full text Add to dashboard Cite

Abstract-As desktops and servers become more complicated, they employ an increasing amount of automatic, non-user initiated communication. Such communication can be good (OS updates, RSS feed readers, and mail polling), bad (keyloggers, spyware, and botnet command-and-control), or ugly (adware or unauthorized peer-to-peer applications). Communication in these applications is often regular, but with very long periods, ranging from minutes to hours. This infrequent communication and the complexity of today's systems makes these applications difficult for users to detect and diagnose. In this paper we present a new approach to identify low-rate periodic network traffic and changes in such regular communication. We employ signal-processing techniques, using discrete wavelets implemented as a fully decomposed, iterated filter bank. This approach not only detects low-rate periodicities, but also identifies approximate times when traffic changed. We implement a self-surveillance application that externally identifies changes to a user's machine, such as interruption of periodic software updates, or an installation of a keylogger.

show abstract

Section: Related Workmentioning

confidence: 99%

“…To apply signal processing to network traffic we first must generate a timeseries of events that represent network traffic [13]. We begin by discarding all traffic that is not of interest, then map events of interest into a fixed-interval timeseries of events per time period.…”

Section: A Timeseries Extractionmentioning

confidence: 99%

Low-rate, flow-level periodicity detection

Bartlett¹,

Heidemann²,

Papadopoulos

2011

2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

View full text Add to dashboard Cite

show abstract

“…In terms of spectrum analysis, Mitra et al [23] proposed an anomaly detection method based on spectrum analysis. They focused on the harmonic structure of the traffic data spectrum obtained by the Fourier transform and wavelet to detect DDoS and bottleneck traffic.…”

Section: Spectrum Analysismentioning

confidence: 99%

Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis

Eto

Sonoda

Inoue

et al. 2010

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYNetwork monitoring systems that detect and analyze malicious activities as well as respond against them, are becoming increasingly important. As malwares, such as worms, viruses, and bots, can inflict significant damages on both infrastructure and end user, technologies for identifying such propagating malwares are in great demand. In the largescale darknet monitoring operation, we can see that malwares have various kinds of scan patterns that involves choosing destination IP addresses. Since many of those oscillations seemed to have a natural periodicity, as if they were signal waveforms, we considered to apply a spectrum analysis methodology so as to extract a feature of malware. With a focus on such scan patterns, this paper proposes a novel concept of malware feature extraction and a distinct analysis method named "SPectrum Analysis for Distinction and Extraction of malware features (SPADE)". Through several evaluations using real scan traffic, we show that SPADE has the significant advantage of recognizing the similarities and dissimilarities between the same and different types of malwares.

show abstract

“…This is proposed as a complementary approach to existing DoS detection and defense mechanisms that identify attacks. The use of the Fourier transform has also been proposed in [23] and [16]. However, in all these works the focus is more on fingerprinting and on the recognition of different kinds of anomalies once a candidate anomaly inside a specific time interval has already been identified.…”

Section: Related Workmentioning

confidence: 99%

A cascade architecture for DoS attacks detection based on the wavelet transform

Dainotti

Pescapè

Ventre

2009

JCS

View full text Add to dashboard Cite

In this paper we propose an automated system able to detect volume-based anomalies in network traffic caused by Denial of Service (DoS) attacks. We designed a system with a two-stage architecture that combines more traditional change point detection approaches (Adaptive Threshold and Cumulative Sum) with a novel one based on the Continuous Wavelet Transform. The presented anomaly detection system is able to achieve good results in terms of the trade-off between correct detections and false alarms, estimation of anomaly duration, and ability to distinguish between subsequent anomalies. We test our system using a set of publicly available attack-free traffic traces to which we superimpose anomaly profiles obtained both as time series of known common behaviors and by generating traffic with real tools for DoS attacks. Extensive test results show how the proposed system accurately detects a wide range of DoS anomalies and how the performance indicators are affected by anomalies characteristics (i.e. amplitude and duration). Moreover, we separately consider and evaluate some special test-cases.

show abstract

Detecting and identifying malware: a new signal processing goal

Cited by 13 publications

References 7 publications

Low-rate, flow-level periodicity detection

Low-rate, flow-level periodicity detection

Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis

A cascade architecture for DoS attacks detection based on the wavelet transform

Contact Info

Product

Resources

About