Abstract
In this paper, we present two ways of detecting malware. The first one takes advantage of a platform that we have developed. The platform includes tools for capturing malware, running code in a controlled environment, and analyzing its interactions with external entities. The platform enables us to detect malware based on the observation of its communication behavior. The second approach uses a method for detecting encrypted Skype traffic and classifying Skype service flows such as voice calls, skypeOut, video conferencing, chat, file upload and download in Skype traffic. The method is based on the Statistical Protocol IDentification (SPID) that analyzes statistical values of some traffic attributes. We apply the method to identify malicious traffic—we have successfully detected the propagation of Worm.Win32.Skipi.b that spreads over the Skype messenger by sending infected messages to all Skype contacts on a victim machine.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Berger-Sabbatel, G., Korczyński, M., Duda, A.: Architecture of a Platform for Malware Analysis and Confinement. In: Proceedings MCSS 2010: Multimedia Communications, Services and Security, Cracow, Poland (June 2010)
Berger-Sabbatel, G., Duda, A.: Analysis of Malware Network Activity. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2011. CCIS, vol. 149, pp. 207–215. Springer, Heidelberg (2011)
Berger-Sabbatel, G., Duda, A.: Classification of Malware Network Activity. In: Dziech, A., Czyżewski, A. (eds.) MCSS 2012. CCIS, vol. 287, pp. 24–35. Springer, Heidelberg (2012)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.2. RFC 5246 (August 2008)
Cuong, N.C.: Skype-New Target of the Worm Spreading via IM (May 2010), http://blog.bkav.com
Korczyński, M.: Classifying Application Flows and Intrusion Detection in the Internet Traffic. PhD thesis, École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique (EDMSTII), Grenoble, France (November 2012)
Korczyński, M., Duda, A.: Classifying Service Flows in the Encrypted Skype Traffic. In: 2012 IEEE International Conference on Communications, ICC 2012, pp. 1064–1068 (June 2012)
Hjelmvik, E., John, W.: Statistical Protocol Identification with SPID: Preliminary Results. In: Proceedings of 6th Swedish National Computer Networking Workshop (May 2009)
Kullback, S., Leibler, R.A.: On information and sufficiency. Annals of Mathematical Statistics 22, 49–86 (1951)
Leavitt, N.: Instant Messaging: A New Target for Hackers. Computer 38(7), 20–23 (2005)
Swoyer, S.: Enterprise Systems: IM Security Exploits Explode in 2007 (August 2008), http://www.esj.com
Kaspersky Lab Detects New IM Worms Capable of Spreading via Almost All Instant Messengers (August 2010), http://www.kaspersky.com
Yan, G., Xiao, Z., Eidenbenz, S.: Catching Instant Messaging Worms with Change-Point Detection Techniques. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–10. USENIX Association (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Korczyński, M., Berger-Sabbatel, G., Duda, A. (2013). Two Methods for Detecting Malware. In: Dziech, A., Czyżewski, A. (eds) Multimedia Communications, Services and Security. MCSS 2013. Communications in Computer and Information Science, vol 368. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38559-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-38559-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38558-2
Online ISBN: 978-3-642-38559-9
eBook Packages: Computer ScienceComputer Science (R0)