Ph.D. Proposal by Terry Nelms

*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************

Event Details
  • Date/Time:
    • Thursday December 11, 2014 - Friday December 12, 2014
      1:00 pm - 2:59 pm
  • Location: Klaus 3126 (GTISC war room)
  • Phone:
  • URL:
  • Email:
  • Fee(s):
    N/A
  • Extras:
Contact
No contact information submitted.
Summaries

Summary Sentence: Detection and Annotation of Malware Downloads and Infections Through Deep Packet Inspection

Full Summary: No summary paragraph submitted.

Title: Detection and Annotation of Malware Downloads and Infections Through Deep Packet Inspection

Terry Nelms
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Thursday, December 11, 2014
Time: 2:00 PM - 4:00 PM EST
Location: Klaus 3126 (GTISC war room)

Committee:
----------

Dr. Mustaque Ahamad (Advisor, School of Computer Science, Georgia Tech)
Dr. Roberto Perdisci (Co-Advisor, Dept. of Computer Science, University of Georgia and School of Computer Science, Georgia Tech)
Dr. Wenke Lee (School of Computer Science, Georgia Tech)
Dr. Manos Antonakakis (School of Electrical and Computer Engineering, Georgia Tech)
Dr. JR Rao (External, Director, Security Research, IBM Research)

Abstract:
----------

Malware continues to be a significant threat to Internet security despite all the resources allocated to combat it.  It is a critical component in many of the most costly attacks on organizations such as information stealing and extortion (ransomware).  The majority of modern malware infections occur through the browser.  The infection starts with a malware download that is the result of a social engineering or drive-by attack.  After execution the malware communicates over the network to a command and control (C&C) server for the purpose of monetizing (e.g., information stealing) the infection.

Our research focus is on network behavioral approaches for detecting and annotating malware downloads and their execution using deep packet inspection (DPI).  Modern detection systems target the exploit and executable, but provide little context as to how and why the user downloaded malware.  To answer these questions we demonstrate how to reconstruct the download path by automatically tracing back and annotating the sequence of events (e.g., visited web pages) preceding malware downloads to highlight how users reach attack pages on the web.  The difficulty of the trace back is due to the complexity of today’s browsers and how they generate HTTP requests from javascript and plug-ins.  We show how the annotated download paths can be leveraged to better understand current attack trends and develop more effective defenses.

Successful attacks result in infection through the execution of the downloaded malware.  Detecting the infection on the network can be difficult because the domains and IP addresses used by malware change often in order to stay ahead of blacklists.  However, the structure of the communication (i.e., language) between the malware and the C&C server remains constant for longer periods of time because it is more difficult to change.  Leveraging this fact, we describe the concepts necessary for learning malware languages to detect and annotate infected hosts.

Additional Information

In Campus Calendar
No
Groups

Graduate Studies

Invited Audience
Public
Categories
Other/Miscellaneous
Keywords
graduate students, Phd proposal
Status
  • Created By: Danielle Ramirez
  • Workflow Status: Published
  • Created On: Dec 5, 2014 - 5:10am
  • Last Updated: Oct 7, 2016 - 10:10pm