Anteater: Malware Injection Detection with Program Network Traffic Behavior

2022 International Conference on Networking and Network Applications (NaNA) Pub Date : 2022-12-01 DOI:10.1109/NaNA56854.2022.00036

Zuobin Ying, Yangzong Zhang, Shengmin Xu, Guowen Xu, Wenjian Liu

{"title":"Anteater: Malware Injection Detection with Program Network Traffic Behavior","authors":"Zuobin Ying, Yangzong Zhang, Shengmin Xu, Guowen Xu, Wenjian Liu","doi":"10.1109/NaNA56854.2022.00036","DOIUrl":null,"url":null,"abstract":"Recent stealth attacks conceal malicious behavior behind seemingly normal connections to popular online services provided by seemingly harmless applications. These attacks are undetectable using traditional network monitoring and signature-based detection techniques. Because attackers frequently use well-known cloud vendors to conceal C&C servers, anomalous traffic appears to be normal. In this paper, we propose an application-level monitoring system named “Anteater”. Our “Anteater” generates a fine-grained profile of each benign software's network traffic behavior, describing the “expected” network traffic behavior. By analyzing the program's network traffic configuration, our “Anteater” can quickly determine the IP address of the program's abnormal access and intercept it in real-time. “Anteater” was implemented in a real-world enterprise dataset containing over 400 million real-world network traffic sessions. The evaluation results indicate that “Anteater” has a high detection rate for malware injection, with a true positive rate of 94.5% and a false positive rate of less than 0.1%.","PeriodicalId":113743,"journal":{"name":"2022 International Conference on Networking and Network Applications (NaNA)","volume":"91 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 International Conference on Networking and Network Applications (NaNA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NaNA56854.2022.00036","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Recent stealth attacks conceal malicious behavior behind seemingly normal connections to popular online services provided by seemingly harmless applications. These attacks are undetectable using traditional network monitoring and signature-based detection techniques. Because attackers frequently use well-known cloud vendors to conceal C&C servers, anomalous traffic appears to be normal. In this paper, we propose an application-level monitoring system named “Anteater”. Our “Anteater” generates a fine-grained profile of each benign software's network traffic behavior, describing the “expected” network traffic behavior. By analyzing the program's network traffic configuration, our “Anteater” can quickly determine the IP address of the program's abnormal access and intercept it in real-time. “Anteater” was implemented in a real-world enterprise dataset containing over 400 million real-world network traffic sessions. The evaluation results indicate that “Anteater” has a high detection rate for malware injection, with a true positive rate of 94.5% and a false positive rate of less than 0.1%.

查看原文本刊更多论文

食蚁兽:恶意软件注入检测与程序网络流量行为

最近的隐形攻击将恶意行为隐藏在看似正常的连接背后，这些连接是由看似无害的应用程序提供的流行在线服务。使用传统的网络监控和基于签名的检测技术无法检测到这些攻击。由于攻击者经常使用知名云供应商来隐藏C&C服务器，因此异常流量似乎是正常的。本文提出了一种应用级监控系统“食蚁兽”。我们的“食蚁兽”生成每个良性软件的网络流量行为的细粒度配置文件，描述“预期”的网络流量行为。通过分析程序的网络流量配置，我们的“食蚁兽”可以快速确定程序异常访问的IP地址并实时拦截。“食蚁兽”是在一个真实世界的企业数据集中实现的，其中包含超过4亿个真实世界的网络流量会话。评价结果表明，“食蚁兽”具有较高的恶意软件注入检测率，其真阳性率为94.5%，假阳性率小于0.1%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 International Conference on Networking and Network Applications (NaNA)

自引率

0.00%

发文量