Identifying Malware Using Cross-Evidence Correlation

  • Anders Flaglien
  • Katrin Franke
  • Andre Arnes
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 361)


This paper proposes a new correlation method for the automatic identification of malware traces across multiple computers. The method supports forensic investigations by efficiently identifying patterns in large, complex datasets using link mining techniques. Digital forensic processes are followed to ensure evidence integrity and chain of custody.


Botnets malware detection link mining evidence correlation 


  1. 1.
    Y. Al-Hammadi and U. Aickelin, Detecting botnets through log correlation, Proceedings of the Workshop on Monitoring, Attack Detection and Mitigation, 2006.Google Scholar
  2. 2.
    A. Arnes, P. Haas, G. Vigna and R. Kemmerer, Using a virtual security testbed for digital forensic reconstruction, Computer Virology, vol. 2(4), pp. 275–289, 2007.CrossRefGoogle Scholar
  3. 3.
    D. Ayers, A second generation computer forensic analysis system, Digital Investigation, vol. 6(S), pp. 34–42, 2009.CrossRefGoogle Scholar
  4. 4.
    B. Carrier, The Sleuth Kit ( Scholar
  5. 5.
    A. Case, A. Cristina, L. Marziale, G. Richard and V. Roussev, FACE: Automated digital evidence discovery and correlation, Digital Investigation, vol. 5(S), pp. 65–75, 2008.CrossRefGoogle Scholar
  6. 6.
    H. Chen, W. Chung, J. Xu, G. Wang and Y. Qin, Crime data mining: A general framework and some examples, IEEE Computer, vol. 37(4), pp. 50–56, 2004.Google Scholar
  7. 7.
    M. Cohen, S. Garfinkel and B. Schatz, Extending the Advanced Forensic Format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow, Digital Investigation, vol. 6(S), pp. 57–68, 2009.CrossRefGoogle Scholar
  8. 8.
    A. Flaglien, Cross-Computer Malware Detection in Digital Forensics, M.Sc. Thesis, Information Security Program, Faculty of Computer Science and Media Technology, Gjovik University College, Gjovik, Norway, 2010.Google Scholar
  9. 9.
    A. Flaglien, A. Mallasvik, M. Mustorp and A. Arnes, Storage and exchange formats for digital evidence, presented at the NISK Conference, 2010.Google Scholar
  10. 10.
    S. Garfinkel, Forensic feature extraction and cross-drive analysis, Digital Investigation, vol. 3(S), pp. 71–81, 2006.CrossRefGoogle Scholar
  11. 11.
    S. Garfinkel, Automating disk forensic processing with SleuthKit, XML and Python, Proceedings of the Fourth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 73–84, 2009.CrossRefGoogle Scholar
  12. 12.
    L. Getoor, Link mining: A new data mining challenge, ACM SIGKDD Explorations, vol. 5(1), pp. 84–89, 2003.MathSciNetCrossRefGoogle Scholar
  13. 13.
    L. Getoor and C. Diehl, Link mining: A survey, ACM SIGKDD Explorations, vol. 7(2), pp. 3–12, 2005.CrossRefGoogle Scholar
  14. 14.
    P. Gladyshev, Formalizing Event Reconstruction in Digital Investigations, Ph.D. Dissertation, Department of Computer Science, University College Dublin, Dublin, Ireland, 2004.Google Scholar
  15. 15.
    G. Gu, R. Perdisci, J. Zhang and W. Lee, BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection, Proceedings of the Seventeenth USENIX Security Symposium, pp. 139–154, 2008.Google Scholar
  16. 16.
    M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann and I. Witten, The WEKA data mining software: An update, ACM SIGKDD Explorations, vol. 11(1), pp. 10–18, 2009.CrossRefGoogle Scholar
  17. 17.
    J. Han and M. Kamber, Data Mining: Concepts and Techniques, Morgan Kaufmann, San Francisco, California, 2006.MATHGoogle Scholar
  18. 18.
    D. Hand, H. Mannila and P. Smyth, Principles of Data Mining, MIT Press, Cambridge, Massachusetts, 2001.Google Scholar
  19. 19.
    S. Hoffman, China hackers launch cyber attack on India, Dalai Lama, CRN (, April 6, 2010.Google Scholar
  20. 20.
    T. Khabaza, Hard Hats for Data Miners: Myths and Pitfalls of Data Mining, White Paper, SPSS, Zurich, Switzerland, 2005.Google Scholar
  21. 21.
    J. Mena, Investigative Data Mining for Security and Criminal Detection, Elsevier Science, Burlington, Massachusetts, 2003.Google Scholar
  22. 22.
    E. Messmer, The botnet world is booming, Network World, July 9, 2009.Google Scholar
  23. 23.
    National Institute of Standards and Technology, National Software Reference Library, Gaithersburg, Maryland ( Scholar
  24. 24.
    G. Richard and V. Roussev, Next-generation digital forensics, Communications of the ACM, vol. 49(2), pp. 76–80, 2006.CrossRefGoogle Scholar
  25. 25.
    C. Schiller, J. Binkley, D. Harley, G. Evron, T. Bradley, C. Willems and M. Cross, Botnets: The Killer Web App, Syngress, Rockland, Massachusetts, 2007.Google Scholar
  26. 26.
    S. Theodoridis and K. Koutroumbas, Pattern Recognition, Academic Press, San Diego, California, 2006.MATHGoogle Scholar
  27. 27.
    I. Witten and E. Frank, Data Mining: Practical Machine Learning Tools and Techniques, Morgan Kaufmann, San Francisco, California, 2005.MATHGoogle Scholar
  28. 28.
    X. Wu and V. Kumar (Eds.), The Top Ten Algorithms in Data Mining, Chapman and Hall/CRC, Boca Raton, Florida, 2009.MATHGoogle Scholar
  29. 29.
    Y. Zeng, X. Hu and K. Shin, Detection of botnets using combined host- and network-level information, Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 291–300, 2010.CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Anders Flaglien
    • 1
  • Katrin Franke
    • 2
  • Andre Arnes
    • 3
    • 2
  1. 1.AccentureOsloNorway
  2. 2.Norwegian Information Security LaboratoryGjovik University CollegeGjovikNorway
  3. 3.Enterprise Security and ConnectivityTelenor Key PartnerOsloNorway

Personalised recommendations