Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks

In contrast to conventional cyber attacks such as mass infection malware, targeted attacks take a long time to complete their mission. By using a dedicated malware for evading detection at the initial attack, an attacker quietly succeeds in setting up a front-line base in the target organization. Communication between the attacker and the base adopts popular protocols to hide its existence. Because conventional countermeasures deployed on the boundary between the Internet and the internal network will not work adequately, monitoring on the internal network becomes indispensable. In this paper, we propose an integrated sandbox system that deploys a secure and transparent proxy to analyze internal malicious network traffic. The adoption of software defined networking technology makes it possible to redirect any internal traffic from/to a suspicious host to the system for an examination of its insidiousness. When our system finds malicious activity, the traffic is blocked. If the malicious traffic is regarded as mandatory, e.g., For controlled delivery, the system works as a transparent proxy to bypass it. For benign traffic, the system works as a transparent proxy, as well. If binary programs are found in traffic, they are automatically extracted and submitted to a malware analysis module of the sandbox. In this way, we can safely identify the intention of the attackers without making them aware of our surveillance.