Research On Collaborative Identification And Signature Generation Of Network Malware

Malware is the cause of most Internet problems, the carrier and execution body of various malicious activities. Network malware is particularly serious for its aggregate effect. Network malware is malware organized and controlled mainly via network. Specifically, a group of malware transfer information between each other and get commands form its owner via network, and coordinate to complete a common attack mission. We call the group of malware as a malware community, and malware in the malware community is named as network malware. Network malware owns additional attributes of communication via network, organization and community on the basis malware. It becomes a key research topic to identify network malware and suppress them continually attack network via generating signature on identified malware samples.However, with the following reasons, it is becoming more and more difficult to defend against the network malwares. Firstly, the number of new malware samples is huge and it is growing at an exponential pace; Secondly, malware authors utilize various sophisticated technologies to evade detection, e.g. payload encryption, multiple attack vectors,polymorphic techniques, especially, the code obfuscation; Thirdly, the samples of a malware community are usually widely spread over the whole Internet, hence, it is almost impossible for a single network area to see enough malware samples.Existed systems on malware identification and signature generation are either centralized systems which will induce processing and communication bottleneck, or have low accuracy of identifying malware; or distributed systems which are only applicable for simple malware or malware at specific stage. Therefore, in this thesis, we design a distributed and collaborative defense system to defeat sophisticated malware—network malware.Collaborative defense system on network malware have four parts: signature presentation, information sharing structure between distributed engine nodes, collaborative network malware identification model, and collaborative network malware signature generation. In this thesis, we performed an in-depth study on the four parts on the basis of a comprehensive survey of present researches on defense of malware. The major contributions are as follows,1. Propose an anti-obfuscation, lightweight malware behavioral signature model —RRMBR—based on constraints of operations in resource granularitySince malware detection using behavior graph is NP-Complete, we propose a lightweight malware behavioral signature model –RRMBR(Resource-level operations Restriction based Malware Behavioral signature p Resentation), which constrain operations in resource granularity and classify malware behaviors into two kinds: intra-resource operations and constraints of inter-resource operations. Intra-resource operations assembles syscalls that operate on same handle together. Constraint of inter-resource operations describes the ordering in key operations on different handles. Comparing with behavior graph, RRMBR has a little degrade on detection performance, however, it has absolute advantages in complex and matching time. Therefore, we can generate RRMBR, and detect malware using RRMBR online.2. Propose an effective DHT rendezvous-based global statistics computing and sharing infrastructure —RENShareWe design the RENdezvous-based Sharing infrastructure(RENShare) for distributed engine nodes to congregate global characteristics of RRMBR behaviors efficiently and to collaboratively identify the malicious program communities accurately. Based on the DHT overlay, the RENShare can collect and distribute the behavior characteristics in a scalable and balanced way. Comparing with sharing method based on ALM(Application Layer Multicast), RENShare has the following advantages: 1) low communication overhead; 2) good privacy protection because each node in RENshare can only see the information it in charge of.3. Propose a host and network cooperated, anti-obfuscation, scalable and collaborative malware identifying system–ENDMal, which can identify various unknown and complex malware communityWith code obfuscation and other complex technologies, malware community is complicated. However, there are some intrinsic characteristics in malware community as follows: 1) members are automatic programs without requiring human-driven activities, and utilize network interaction to perpetrate their malicious activities or to gain control from attacker; 2) members behave similarly and perform some homologous functions, thus,there have some common syscalls with common handle dependencies and ordering dependence; and 3) the end-hosts infected by the community usually spread widely, hence,the dispersion of those infected end-hosts are large.ENDMal utilizes the information sharing infrastructure–RENShare–to collaboratively congregate the global characteristics of communities, which programs belong to, among different engine nodes. And then it intelligently identify malware community according to the three intrinsic characteristics based on global characteristics.4. Propose a global convergence based collaborative generation of malware behavior signatureEach engine node first classifies identified malware samples according to the intrinsic behaviors in malware community and generates local RRMBR signature for each cluster.Then it shares the behaviors in local RRMBR signature with other engine nodes using RENshare, to gain the similarity between remote local RRMBR signatures. Assume each local RRMBR signature as a vertex, and the reciprocal of similarity weight between two local RRMBR signatures as the weight of the edge, then the system turns into a connected undirected graph. Using distributed algorithm for spanning trees, there generated some spanning trees in the system, each malware community correspond a spanning tree. All the local RRMBR signatures of a malware community converge corresponding to its spanning tree and finally in the root of the tree we can generate global accurate behavior signature.