Original author: Chaz lever etc

Original title: a lustrum of malware network communication: evolution and insights

Original conference: 37th IEEE Symposium on security and privacy, may 23-25, 2017, San Jose, USA

Translated by: {HP, rupierlua, woody, Xhj} @ arkteam

——This article is the only long article of malware on S & P'17, translated by arker.

Security researchers in industry and academia have been using sandbox to analyze malware dynamically for about 10 years. Researchers from Georgia Institute of technology and European Telecommunication Institute analyzed the network communication data of 26.8 million malware samples collected in the past five years, and concluded as follows:

(1) Based on the dynamic analysis of network tracing, we need to elaborate analysis methods to eliminate the noise data in the network communication data as much as possible.

(2) There are more and more malicious attackers using potential unwanted programs, which depend on stable DNS and IP infrastructure. This requires security researchers to propose better protection measures against such threats.

(3) For the vast majority of malware samples, there are already signs of malicious samples in the network traffic in the weeks or even months before they are found. Therefore, for the defenders, we should extract the malicious software IOC (indicators of complexity) information contained in the network traffic based on the automatic analysis rather than build the malicious software detection system.

Download full text:

Malware network communication: evolution and insight