TY - GEN
T1 - Using failure information analysis to detect enterprise zombies
AU - Zhu, Zhaosheng
AU - Yegneswaran, Vinod
AU - Chen, Yan
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2009
Y1 - 2009
N2 - We propose failure information analysis as a novel strategy for uncovering malware activity and other anomalies in enterprise network traffic. A focus of our study is detecting self-propagating malware such as worms and botnets. We begin by conducting an empirical study of transport- and application-layer failure activity using a collection of long-lived malware traces. We dissect the failure activity observed in this traffic in several dimensions, finding that their failure patterns differ significantly from those of real-world applications. Based on these observations, we describe the design of a prototype system called Netfuse to automatically detect and isolate malware-like failure patterns. The system uses an SVM-based classification engine to identify suspicious systems and clustering to aggregate failure activity of related enterprise hosts. Our evaluation using several malware traces demonstrates that the Netfuse system provides an effective means to discover suspicious application failures and infected enterprise hosts. We believe it would be a useful complement to existing defenses.
AB - We propose failure information analysis as a novel strategy for uncovering malware activity and other anomalies in enterprise network traffic. A focus of our study is detecting self-propagating malware such as worms and botnets. We begin by conducting an empirical study of transport- and application-layer failure activity using a collection of long-lived malware traces. We dissect the failure activity observed in this traffic in several dimensions, finding that their failure patterns differ significantly from those of real-world applications. Based on these observations, we describe the design of a prototype system called Netfuse to automatically detect and isolate malware-like failure patterns. The system uses an SVM-based classification engine to identify suspicious systems and clustering to aggregate failure activity of related enterprise hosts. Our evaluation using several malware traces demonstrates that the Netfuse system provides an effective means to discover suspicious application failures and infected enterprise hosts. We believe it would be a useful complement to existing defenses.
UR - http://www.scopus.com/inward/record.url?scp=84869596416&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84869596416&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-05284-2_11
DO - 10.1007/978-3-642-05284-2_11
M3 - Conference contribution
AN - SCOPUS:84869596416
SN - 3642052835
SN - 9783642052835
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 185
EP - 206
BT - Security and Privacy in Communication Networks - 5th International ICST Conference, SecureComm 2009, Revised Selected Papers
T2 - 5th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2009
Y2 - 14 September 2009 through 18 September 2009
ER -