Abstract
The constant increase of malware threats clearly shows that the present countermeasures are not sufficient especially because most actions are put in place only when infections have already spread. In this paper, we present an innovative collaborative architecture for malware analysis that aims to early detection and timely deployment of countermeasures. The proposed system is a multi-tier architecture where the sensor nodes are geographically distributed over multiple organizations. These nodes send alerts to intermediate managers that, in their turn, communicate with one logical collector and analyzer. Relevant information, that is determined by the automatic analysis of the malware behavior in a sandbox, and countermeasures are sent to all the cooperating networks. There are many other novel features in the proposal. The architecture is extremely scalable and flexible because multiple levels of intermediate managers can be utilized depending on the complexity of the network of the participating organization. Cyphered communications among components help preventing the leakage of sensitive information and allow the pairwise authentication of the nodes involved in the information sharing. The feasibility of the proposed architecture is demonstrated through an operative prototype realized using open source software.
Chapter PDF
Similar content being viewed by others
Keywords
- Alert Correlation
- Intermediate Manager
- Computer Emergency Response Team
- Remote Address
- Intrusion Detection Message Exchange Format
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Sharon Gaudin (2007), Storm Worm botnet more powerful than top supercomputers, Information Week, available at http://www.informationweek.com/software/showArticle.jhtml?articleID=201804528
ShadowServer Foundation homepage, available at http://www.shadowserver.org
Nepenthes, available at http://nepenthes.mwcollect.org/
Xu D and Ning P (2005), Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach, 21st Comp. Sec. App. Conf.
Jaeyeon Jung J and Sit E (2004) An empirical study of spam traffic and the use of DNS black lists, IMC ’04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Freiling FC, Holz T, and Wicherski G (2005) Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, ESORICS 2005: Proceedings of the 10th European Symposium on Research in Computer Security
Valeur F, Vigna G, Kruegel C, and Kemmerer RA (2004) A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Transactions on dependable and secure computing, Jul-Sept 2004, Vol. 1 pp.146-169
When-Yi Hsin, Shian-Shiong Tseng, Shun-Chieh Lin (2005) A study of alert based collaborative defense, Proceedings of the 8th International Symposium on Parallel Architectures, Algorithms and Networks (ISPAN05)
Zhu S, Setia S, Jajodia S (2003) LEAP: efficient security mechanisms for large-scale distributed sensor networks, CCS ’03: Proceedings of the 10th ACM conference on Computer and communications security
Perrig A, Canetti R, Tygar JD, Song D (2000) Efficient Authentication and Signing of Multicast Streams over Lossy Channels, Proc. of the 2000 IEEE Symposium on Security and Privacy
Przydatek B, Song D, Perrig A (2003) SIA: secure information aggregation in sensor networks, SenSys ’03: Proceedings of the 1st international conference on Embedded networked sensor systems
mwcollect Alliance, homepage available at http://alliance.mwcollect.org/
Robert Tappan Morris (1988), The Morris Worm, homepage available at http://www.morrisworm.com/. Cited 17 Jan 2008.
Internet Storm Center (2004), Sasser Worm, LSASS exploit analysis, available at http://isc.sans.org/diary.html?date=2004-04-30
Computer emergency Response Team (2000), CERT_R Advisory CA-2000-04 Love Letter Worm, available at http://www.cert.org/advisories/CA-2000-04.html
SymantecTM(2004), W32.Wallon.A@mm worm description, available at http://www.symantec.com/security response/writeup.jsp?docid=2004-051112-0815-99
US-CERT (2004), Technical Cyber Security Alert TA04-356A (Santy worm), available at http://www.us-cert.gov/cas/techalerts/TA04-356A.html
Wikipedia (2007), Timeline of notable computer viruses and worms, available at http://en.wikipedia.org/wiki/Timeline of notable computer viruses and worms{#}2006
IETF Intrusion DetectionWorking Group (2007) The Intrusion Detection Message Exchange Format (IDMEF), available at http://tools.ietf.org/html/rfc4765
Norman ASA, homepage available at http:/www.norman.com/
Prelude Hybrid IDS project, homepage available at http://www.prelude-ids.org/
Virustotal, a malware analysis service offered by Hispasec Sistemas, available at http://www.virustotal.com/
Norman SandBox Information Center, available at http://sandbox.norman.com
CWSandbox, Behavior-based Malware Analysis remote sandbox service, homepage available at http://www.cwsandbox.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Colajanni, M., Gozzi, D., Marchetti, M. (2008). Collaborative architecture for malware detection and analysis. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)