using the TRE library [22]. All the experiments were performed on a 4-core 2.67GHz Intel Core-i7 machine with 12GB of RA
Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces
a
Roberto Perdiscia,b , Wenke Leea , and Nick Feamstera College of Computing, Georgia Institute of Technology, Atlanta, GA 30332, USA b Damballa, Inc. Atlanta, GA 30308, USA
[email protected], {wenke, feamster}@cc.gatech.edu Abstract
be used to detect future malware variants with low false positives and false negatives. Network-level signatures have some attractive properties compared to system-level signatures. For example, enforcing system-level behavioral signatures often requires the use of virtualized environments and expensive dynamic analysis [21, 34]. On the other hand, networklevel signatures are usually easier to deploy because we can take advantage of existing network monitoring infrastructures (e.g., intrusion detection systems and alert monitoring tools), and monitor a large number of machines without introducing overhead at the end hosts. The vast majority of malware needs a network connection in order to perpetrate their malicious activities (e.g., sending spam, exfiltrating private ,& :666"0979"666>
40
!!"#"$%&'(!)(*&&++),*&-,..+&)(*+/0)11 "#$%&'()*"#"2)3)45*"6-7)89)4:;
