PASCAL - Pattern Analysis, Statistical Modelling and Computational Learning

Botzilla: Detecting the "Phoning Home" of Malicious Software.
Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz and Pavel Laskov
25th Symposium on Applied Computing (SAC) 2010.

Abstract

Hosts infected with malicious software, so called malware, are ubiquitous in today’s computer networks. The means whereby malware can infiltrate a network are manifold and range from exploiting of software vulnerabilities to tricking a user into executing malicious code. Monitoring and detection of all possible infection vectors is intractable in practice. Hence, we approach the problem of detecting malicious software at a later point when it initiates contact with its maintainer; a process referred to as "phoning home". In particular, we introduce Botzilla, a method for detection of malware communication, which proceeds by repetitively recording network traffic of malware in a controlled environment and generating network signatures from invariant content patterns. Experiments conducted at a large university network demonstrate the ability of Botzilla to accurately identify malware communication in network traffic with very low false-positive rates.

PDF - Requires Adobe Acrobat Reader or other PDF viewer.
EPrint Type:Article
Project Keyword:Project Keyword UNSPECIFIED
Subjects:Theory & Algorithms
ID Code:5531
Deposited By:Konrad Rieck
Deposited On:09 July 2010