Sandnet: Network traffic analysis of malicious software

Christian Rossow*, Christian J. Dietrich, Herbert Bos, Lorenzo Cavallaro, Maarten van Steen, Felix C. Freiling, Norbert Pohlmann

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

69 Citations (Scopus)

Abstract

Dynamic analysis of malware is widely used to obtain a better understanding of unknown software. While existing systems mainly focus on host-level activities of malware and limit the analysis period to a few minutes, we concentrate on the network behavior of malware over longer periods. We provide a comprehensive overview of typical malware network behavior by discussing the results that we obtained during the analysis of more than 100,000 malware samples. The resulting network behavior was dissected in our new analysis environment called Sandnet that complements existing systems by focusing on network traffic analysis. Our in-depth analysis of the two protocols that are most popular among malware authors, DNS and HTTP, helps to understand and characterize the usage of these prevalent protocols.

Original languageEnglish
Title of host publicationBADGERS 2011
Subtitle of host publicationProceedings of the 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
Place of PublicationNew York, NY
PublisherACM Press
Pages78-88
Number of pages11
ISBN (Print)978-1-4503-0768-0
DOIs
Publication statusPublished - 17 Jun 2011
Externally publishedYes
Event1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011 - Salzburg, Austria
Duration: 10 Apr 201110 Apr 2011
Conference number: 1

Conference

Conference1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011
Abbreviated titleBADGERS 2011
CountryAustria
CitySalzburg
Period10/04/1110/04/11

Fingerprint

Dive into the research topics of 'Sandnet: Network traffic analysis of malicious software'. Together they form a unique fingerprint.

Cite this