Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware
DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
Lessons learned from the deployment of a high-interaction honeypot
EDCC '06 Proceedings of the Sixth European Dependable Computing Conference
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis
WISTDCS '08 Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
A malware collection and analysis framework based on darknet traffic
ICONIP'12 Proceedings of the 19th international conference on Neural Information Processing - Volume Part II
Collaborative behavior visualization and its detection by observing darknet traffic
CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
Hi-index | 0.00 |
We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose objective is to detect and identify propagating malwares. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global trends of network threats, while it captures and analyzes malware executables. By correlating the network threats with analysis results of malware, the nicter identifies the root causes (malwares) of the detected network threats. Through a long-term operation of the nicter for more than five years, we have achieved some key findings that would help us to understand the intentions of attackers and the comprehensive threat landscape of the Internet. With a focus on a well-knwon malware, i. e., W32.Downadup, this paper provides some practical case studies with considerations and consequently we could obtain a threat landscape that more than 60% of attacking hosts observed in our dark-net could be infected by W32.Downadup. As an evaluation, we confirmed that the result of the correlation analysis was correct in a rate of 86.18%.