Analyzing and Exploiting Network Behaviors of Malware

  • Jose Andre Morales
  • Areej Al-Bataineh
  • Shouhuai Xu
  • Ravi Sandhu
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 50)


In this paper we address the following questions: From a networking perspective, do malicious programs (malware, bots, viruses, etc...) behave differently from benign programs that run daily for various needs? If so, how may we exploit the differences in network behavior to detect them? To address these questions, we are systematically analyzing the behavior of a large set (at the magnitude of 2,000) of malware samples. We present our initial results after analyzing 1000 malware samples. The results show that malicious and benign programs behave quite differently from a network perspective. We are still in the process of attempting to interpret the differences, which nevertheless have been utilized to detect 31 malware samples which were not detected by any antivirus software on as of 01 April 2010, giving evidence that the differences between malicious and benign network behavior has a possible use in helping stop zero-day attacks on a host machine.


Network Activity Network Behavior User Datagram Protocol Domain Name System Remote Host 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Balatzar, J., Costoya, J., Flores, R.: The real face of koobface: The largest web 2.0 botnet explained. Technical report, Trend Micro (2009)Google Scholar
  3. 3.
    Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: LEET 2009: Usenix Workshop on Large-scale Exploits and Emergent Threats (2009)Google Scholar
  4. 4.
  5. 5.
  6. 6.
    Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: WORM 2004: Proceedings of the 2004 ACM workshop on Rapid malcode, pp. 43–53. ACM Press, New York (2004)CrossRefGoogle Scholar
  7. 7.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium, Security 2008 (2008)Google Scholar
  8. 8.
    Gupta, A., Kuppili, P., Akella, A., Barford, P.: An empirical study of malware evolution. In: COMSNETS 2009: Proceedings of the First international conference on COMmunication Systems And NETworks, pp. 356–365. IEEE Press, Piscataway (2009)Google Scholar
  9. 9.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET 2008: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–9. USENIX Association, Berkeley (2008)Google Scholar
  10. 10.
  11. 11.
    Jiang, X., Xu, D.: Profiling self-propagating worms via behavioral footprinting. In: WORM 2006: Proceedings of the 4th ACM workshop on Recurring malcode, pp. 17–24. ACM, New York (2006)Google Scholar
  12. 12.
    Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: 18th Usenix Security Symposium (2009)Google Scholar
  13. 13.
  14. 14.
    Moore, D., Shannon, C., Claffy, K.: Code-red: a case study on the spread and victims of an internet worm. In: IMW 2002: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, pp. 273–284. ACM, New York (2002)CrossRefGoogle Scholar
  15. 15.
    Morales, J.A., Al-Bataineh, A., Xu, S., Sandhu, R.: Analyzing dns activities of bot processes. In: MALWARE 2009: Proceedings of the 4th International Conference on Malicious and Unwanted Software, pp. 98–103 (2009)Google Scholar
  16. 16.
    Morales, J.A., Clarke, P.J., Deng, Y., Kibria, B.G.: Identification of file infecting viruses through detection of self-reference replication. Journal in Computer Virology Special EICAR conference invited paper issue (2008)Google Scholar
  17. 17.
    Moskovitch, R., Elovici, Y., Rokach, L.: Detection of unknown computer worms based on behavioral classification of the host. Comput. Stat. Data Anal. 52(9), 4544–4566 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 24–31 (2008)Google Scholar
  19. 19.
  20. 20.
  21. 21.
  22. 22.
    Rabek, J.C., Khazan, R.I., Lewandowski, S.M., Cunningham, R.K.: Detection of injected, dynamically generated, and obfuscated malicious code. In: WORM 2003: Proceedings of the 2003 ACM workshop on Rapid malcode, pp. 76–82. ACM Press, New York (2003)CrossRefGoogle Scholar
  23. 23.
    Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
  25. 25.
  26. 26.
    Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)zbMATHGoogle Scholar
  27. 27.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 116–127. ACM, New York (2007)Google Scholar
  28. 28.
    Zhu, Z., Yegneswaran, V., Chen, Y.: Using failure information analysis to detect enterprise zombies. In: 5th International ICST Conference on Security and Privacy in Communication Networks, Securecomm 2009 (2009)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2010

Authors and Affiliations

  • Jose Andre Morales
    • 1
  • Areej Al-Bataineh
    • 2
  • Shouhuai Xu
    • 1
    • 2
  • Ravi Sandhu
    • 1
  1. 1.Institute for Cyber SecurityUniversity of TexasSan AntonioUSA
  2. 2.Department of Computer ScienceUniversity of TexasSan AntonioUSA

Personalised recommendations