Philipp Trinius

Automatic analysis of malware behavior using machine learning

Malicious software - so called malware - poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with malware in the form of computer viruses, Internet worms and Trojan horses. While obfuscation and polymorphism employed by malware largely impede detection at file level, the dynamic analysis of malware binaries during run-time provides an instrument for characterizing and defending against the threat of malicious software. In this article, we propose a framework for the automatic analysis of malware behavior using machine learning. The framework allows for automatically identifying novel classes of malware with similar behavior (clustering) and assigning unknown malware to these discovered classes (classification). Based on both, clustering and classification, we propose an incremental approach for behavior-based analysis, capable of processing the behavior of thousands of malware binaries on a daily basis. The incremental analysis significantly reduces the run-time overhead of current analysis methods, while providing accurate discovery and discrimination of novel malware variants.

Visual analysis of malware behavior using treemaps and thread graphs

We study techniques to visualize the behavior of malicious software (malware). Our aim is to help human analysts to quickly assess and classify the nature of a new malware sample. Our techniques are based on a parametrized abstraction of detailed behavioral reports automatically generated by sandbox environments. We then explore two visualization techniques: treemaps and thread graphs. We argue that both techniques can effectively support a human analyst (a) in detecting maliciousness of software, and (b) in classifying malicious behavior.

The InMAS Approach

The Internet Malware Analysis System (InMAS) is a modular platform for distributed, large-scale monitoring of malware on the Internet. InMAS integrates diverse tools for malware collection (using honeypots) and malware analysis (mainly using dynamic analysis). All collected information is aggregated and accessible through an intuitive and easy-to-use web interface. In this paper, we provide an overview of the structure of InMAS and the various tools it integrates. We also introduce the web frontend that displays all information on dierent levels of abstraction, from a coarse-grained overview down to highly detailed information on demand.

Towards Proactive Spam Filtering (Extended Abstract)

With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore efficient filtering and blocking methods for spam messages are needed. Unfortunately, most spam filtering solutions proposed so far are reactive , they require a large amount of both ham and spam messages to efficiently generate rules to differentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and efficient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam filtering techniques and develop new venues to efficiently filter mails.

Mail-Shake

Many different methods to mitigate spam in the internet have been proposed. However, the most promising ones require fundamental changes to mail protocol itself. Other methods are based on filtering, but still require the end-user to verify the results. We propose a different approach, that requires email senders to traverse a kind of handshake before sending an initial email to a new contact.Our method, called Mail-Shake, is based on two facts. First,spammers need valid email addresses to deliver their spam to.Second, spammers do not require real inboxes for their sender addresses, as replies are not expected. This allows complete automation of the spamming process, sending email at almost no cost. If we can decrease the number of valid email addresses a spammer can collect and increase the cost of sending email,spamming becomes uninteresting as the effort is too high in contrast to the win.

Das Internet-Malware-Analyse-System (InMAS)

ZusammenfassungDas Ziel eines Frühwarnsystems besteht im Wesentlichen aus dem frühzeitigen Erkennen und Einschätzen von Bedrohungen aus dem Internet. Ein wichtiger Aspekt hierbei ist die Beobachtung und Verfolgung bösartiger Software. Mit dem Internet-Malware-Analyse-System (InMAS), das zwischen 2007 und 2009 an der Universität Mannheim entstand, lässt sich Schadsoftware automatisiert erkennen und analysieren. Die so gewonnenen Informationen liefern ein Lagebild des aktuellen Gefährdungsgrads der beobachteten Internet-Infrastruktur und können einen wichtigen Beitrag für ein nationales Frühwarnsystem leisten. Das Projekt wurde durch das Bundesamt für Sicherheit in der Informationstechnik (BSI) gefördert.