SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

Leita, Corrado; Daciér, Marc

doi:10.1109/edcc-7.2008.15

Cited by 37 publications

(24 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The analyzed dataset is composed of 1599 malware samples collected by a real world honeypot deployment, SGNET [7], [8]. SGNET is a distributed honeypot deployment for the observation of server-side code injection attacks.…”

Section: Experimental Setup and Architecturementioning

confidence: 99%

See 1 more Smart Citation

An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines

Gashi

Stanković

Leita³

et al. 2009

2009 Eighth IEEE International Symposium on Network Computing and Applications

Self Cite

View full text Add to dashboard Cite

Abstract-Fault tolerance in the form of diverse redundancy is well known to improve the detection rates for both malicious and non-malicious failures. What is of interest to designers of security protection systems are the actual gains in detection rates that they may give. In this paper we provide exploratory analysis of the potential gains in detection capability from using diverse AntiVirus products for the detection of self-propagating malware. The analysis is based on 1599 malware samples collected by the operation of a distributed honeypot deployment over a period of 178 days. We sent these samples to the signature engines of 32 different AntiVirus products taking advantage of the VirusTotal service. The resulting dataset allowed us to perform analysis of the effects of diversity on the detection capability of these components as well as how their detection capability evolves in time.

show abstract

Section: Experimental Setup and Architecturementioning

confidence: 99%

“…This is achieved by taking into consideration real-world data generated by a distributed honeypot deployment, SGNET [7], [8]. The advantages of this dataset over those used in the previous work [4] can be summarized as follows:…”

Section: Introductionmentioning

confidence: 99%

An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines

Gashi

Stanković

Leita³

et al. 2009

2009 Eighth IEEE International Symposium on Network Computing and Applications

Self Cite

View full text Add to dashboard Cite

show abstract

“…These networks, also called honeynets, can be deployed on a few IP addresses within a local network. The project Leurre.com [7], SGNET [8], [9] and the honeynet initiative from CAIDA [10] are examples of distributed honeypot networks in different locations.…”

Section: Related Workmentioning

confidence: 99%

Comparing Detection Capabilities of AntiVirus Products: An Empirical Study with Different Versions of Products from the Same Vendors

Algaith

Gashi

Sobesto

et al. 2016

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W)

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract -In this paper we report results of an empirical analysis of the detection capabilities of 9 AntiVirus (AV) products when they were subjected to 3605 malware samples collected on an experimental network over a period of 31 days in NovemberDecember 2013. We compared the detection capabilities of the version of the AV products that the vendors make available for free in VirusTotal versus the full capability products that they make available via their own website. The analysis has been done using externally observable properties of the AV products: namely whether they detect a given malware. The paper reports extensive analysis of the results. A surprising finding of our study was that only one of the vendors had a full capability version which detected all the malware that their VirusTotal version could detect. Permanent repository link

show abstract

“…In particular, we experiment with a protocol-agnostic technique [20] previously adopted to model the attack traffic in high-interaction honeypots [18,16]. The idea consists in building a finite state machine (FSM) of the network activity generated by each malware sample.…”

Section: Introductionmentioning

confidence: 99%

Towards network containment in malware analysis systems

Graziano

Leita

Balzarotti

2012

Proceedings of the 28th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

This paper focuses on the containment and control of the network interaction generated by malware samples in dynamic analysis environments. A currently unsolved problem consists in the existing dependency between the execution of a malware sample and a number of external hosts (e.g. C&C servers). This dependency affects the repeatability of the analysis, since the state of these external hosts influences the malware execution but it is outside the control of the sandbox. This problem is also important from a containment point of view, because the network traffic generated by a malware sample is potentially of malicious nature and, therefore, it should not be allowed to reach external targets.The approach proposed in this paper addresses the repeatability and the containment of malware execution by exploring the use of protocol learning techniques for the emulation of the external network environment required by malware samples. We show that protocol learning techniques, if properly used and configured, can be successfully used to handle the network interaction required by malware. We present our solution, Mozzie, and show its ability to autonomously learn the network interaction associated to recent malware samples without requiring a-priori knowledge of the protocol characteristics. Therefore, our system can be used for the contained and repeatable analysis of unknown samples that rely on custom protocols for their communication with external hosts.

show abstract

SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

Cited by 37 publications

References 15 publications

An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines

An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines

Comparing Detection Capabilities of AntiVirus Products: An Empirical Study with Different Versions of Products from the Same Vendors

Towards network containment in malware analysis systems

Contact Info

Product

Resources

About