Generation of specifications for malware network protocols (2014-2017)
Detecting malware communication from vantage points within the network is complex for various reasons. The rate at which new malware families are released makes it unfeasible for analysts to gain deep comprehension of how malware communicates; furthermore, modern malware actively attempts to avoid detection by using custom communication protocols which are oftentimes encrypted. In this project, we proposed a novel protocol inference algorithm which automatically generates a formal specification of the application-level protocol used by a malware family, and detection procedures which can identify the protocol within network traffic. Our algorithm works in an automated fashion, requiring only the malware’s binary and samples of the malware network communication, and can circumvent malware’s use of encryption. If you are interested in this work, check out our INFOCOM 2017 and MALCON 2017 papers.