ACM Transactions on Computer Systems (TOCS)
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
Collapsar: a VM-based architecture for network attack detention center
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
OpenFlow: enabling innovation in campus networks
ACM SIGCOMM Computer Communication Review
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Spamalytics: an empirical analysis of spam marketing conversion
Proceedings of the 15th ACM conference on Computer and communications security
SLINGbot: A System for Live Investigation of Next Generation Botnets
CATCH '09 Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Spamcraft: an inside look at spam campaign orchestration
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
Proceedings of the 26th Annual Computer Security Applications Conference
What's clicking what? techniques and innovations of today's clickbots
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Measuring pay-per-install: the commoditization of malware distribution
SEC'11 Proceedings of the 20th USENIX conference on Security
Virtual machine introspection in a hybrid honeypot architecture
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Manufacturing compromise: the emergence of exploit-as-a-service
Proceedings of the 2012 ACM conference on Computer and communications security
Towards network containment in malware analysis systems
Proceedings of the 28th Annual Computer Security Applications Conference
Machine-oriented biometrics and cocooning for dynamic network defense
Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
Driving in the cloud: an analysis of drive-by download operations and abuse reporting
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.01 |
Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution "farm" that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ's architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.