Network traffic analysis should be used more in the fight against malware. That’s because pointers show up on the network “weeks and even months” in advance of new malicious software being uncovered, scientists from the Georgia Institute of Technology explain in an article on the school’s website.
The researchers, who have been studying historic network traffic patterns, say the latest malware tracking should take advantage of inherent network-supplied barometers and stop simply focusing on trying to identify malware code already on networks and machines. By analyzing already-available, suspicious network traffic created by the hackers over a period of time, administrators will be able to pounce and render malware harmless before it can perform damage.
“You know you are sick when you have a fever, before you know exactly what’s causing it,” says Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at Georgia Tech. “The first thing the adversary does is set up a presence on the internet, and that first signal can indicate an infection.”
For example, registering domains is something hackers do and consequently can be tracked.
So, by acting on that first sign of a potential infection—a dodgy domain registration, for example—and before malware samples become available, developing infections can be thwarted, the scientists claim. Malware code samples are used to build out traditional protection, such as heuristics.
Antonakais and the team studied over 5 billion network events over five years at one ISP and say they found some networks “more prone to abuse.” Those include free domain registration services that let hackers rapidly add domains. The researchers also studied DNS requests by 27 million malware samples and looked for re-registrations of expired domains—a giveaway, they say.
Malware clues are there
By studying known malware traffic, experienced by ISPs historically, the researchers say malware clues are available in the data for a significant period before the actual attack takes place. Over 300,000 malware domains were “active for at least two weeks before the corresponding malware samples were identified and analyzed” they discovered in one analysis, for example.
Separating iffy network traffic from favorable traffic is how they do it. They then use that analysis to spot trouble. That methodology is unlike how traditional forttification works, which is usually by finding the malware code or through behavior—often too late.
By providing network administrators with behavioral symptoms of abnormal, suspicious activity on the network—such as the aforementioned malware launch websites being set up and the already-installed malware communicating its preparatory deeds back to its sender—and comparing that to normal activity, network specialists will be able to spot possible new infiltrations in advance of the actual attack. It should give the security experts more time to investigate and kill the infection, the researchers say.
Uncovering early indicators of an attack being planned is how defense mechanisms should be constructed in the future. And the work should be malware-independent, they say.
Network traffic is “where this battle should be fought,” Antonakais says. In other words, hunt for traffic anomalies and you’ll find the bad actor.
For now, the researchers advise, “Network administrators should minimize the unknowns in their networks and classify their appropriate communications as much as possible so they can see the bad activity when it happens.”
This article is published as part of the IDG Contributor Network. Want to Join?