Detection of Mirai by Syntactic and Behavioral Analysis

Najah Ben Said; Fabrizio Biondi; Vesselin Bontchev; Olivier Decourbe; Thomas Given-Wilson; Axel Legay; Jean Quilbeuf

doi:10.1109/ISSRE.2018.00032

Detection of Mirai by Syntactic and Behavioral Analysis

Najah Ben Said, Fabrizio Biondi, Vesselin Bontchev, Olivier Decourbe, Thomas Given-Wilson, Axel Legay, Jean Quilbeuf

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

16 Citationer (Scopus)

Abstract

The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.

Originalsprog	Engelsk
Titel	Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018
Redaktører	Sudipto Ghosh, Bojan Cukic, Robin Poston, Roberto Natella, Nuno Laranjeiro
Antal sider	12
Forlag	IEEE Computer Society Press
Publikationsdato	16 nov. 2018
Sider	224-235
Artikelnummer	8539084
ISBN (Trykt)	978-1-5386-8322-4
ISBN (Elektronisk)	978-1-5386-8321-7
DOI	https://doi.org/10.1109/ISSRE.2018.00032
Status	Udgivet - 16 nov. 2018
Begivenhed	29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018 - Memphis, USA Varighed: 15 okt. 2018 → 18 okt. 2018

Konference

Konference	29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018
Land/Område	USA
By	Memphis
Periode	15/10/2018 → 18/10/2018
Sponsor	FedEx, Google, IEEE Computer Society, IEEE Reliability Society, Nokia

Navn	Proceedings - International Symposium on Software Reliability Engineering, ISSRE
Vol/bind	2018-October
ISSN	1071-9458

Adgang til dokumentet

10.1109/ISSRE.2018.00032

AUB Link

Søg efter materialet i Aalborg Universitetsbiblioteks søgemaskine

Andre filer og links

http://www.scopus.com/inward/record.url?scp=85059607320&partnerID=8YFLogxK

Citationsformater

Ben Said, N., Biondi, F., Bontchev, V., Decourbe, O., Given-Wilson, T., Legay, A., & Quilbeuf, J. (2018). Detection of Mirai by Syntactic and Behavioral Analysis. I S. Ghosh, B. Cukic, R. Poston, R. Natella, & N. Laranjeiro (red.), Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018 (s. 224-235). Artikel 8539084 IEEE Computer Society Press. https://doi.org/10.1109/ISSRE.2018.00032

Ben Said, Najah ; Biondi, Fabrizio ; Bontchev, Vesselin et al. / Detection of Mirai by Syntactic and Behavioral Analysis. Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018. red. / Sudipto Ghosh ; Bojan Cukic ; Robin Poston ; Roberto Natella ; Nuno Laranjeiro. IEEE Computer Society Press, 2018. s. 224-235 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE, Bind 2018-October).

@inproceedings{34d759181ed1443c8ca0bdb6390cd283,

title = "Detection of Mirai by Syntactic and Behavioral Analysis",

abstract = "The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.",

keywords = "Behavioral analysis, Graph mining, Malware, Mirai, Syntactic analysis, System call dependency graph, Yara",

author = "{Ben Said}, Najah and Fabrizio Biondi and Vesselin Bontchev and Olivier Decourbe and Thomas Given-Wilson and Axel Legay and Jean Quilbeuf",

year = "2018",

month = nov,

day = "16",

doi = "10.1109/ISSRE.2018.00032",

language = "English",

isbn = "978-1-5386-8322-4",

series = "Proceedings - International Symposium on Software Reliability Engineering, ISSRE",

pages = "224--235",

editor = "Sudipto Ghosh and Bojan Cukic and Robin Poston and Roberto Natella and Nuno Laranjeiro",

booktitle = "Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018",

publisher = "IEEE Computer Society Press",

address = "United States",

note = "29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018 ; Conference date: 15-10-2018 Through 18-10-2018",

}

Ben Said, N, Biondi, F, Bontchev, V, Decourbe, O, Given-Wilson, T, Legay, A & Quilbeuf, J 2018, Detection of Mirai by Syntactic and Behavioral Analysis. i S Ghosh, B Cukic, R Poston, R Natella & N Laranjeiro (red), Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018., 8539084, IEEE Computer Society Press, Proceedings - International Symposium on Software Reliability Engineering, ISSRE, bind 2018-October, s. 224-235, 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018, Memphis, USA, 15/10/2018. https://doi.org/10.1109/ISSRE.2018.00032

Detection of Mirai by Syntactic and Behavioral Analysis. / Ben Said, Najah; Biondi, Fabrizio; Bontchev, Vesselin et al.
Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018. red. / Sudipto Ghosh; Bojan Cukic; Robin Poston; Roberto Natella; Nuno Laranjeiro. IEEE Computer Society Press, 2018. s. 224-235 8539084 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE, Bind 2018-October).

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

TY - GEN

T1 - Detection of Mirai by Syntactic and Behavioral Analysis

AU - Ben Said, Najah

AU - Biondi, Fabrizio

AU - Bontchev, Vesselin

AU - Decourbe, Olivier

AU - Given-Wilson, Thomas

AU - Legay, Axel

AU - Quilbeuf, Jean

PY - 2018/11/16

Y1 - 2018/11/16

N2 - The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.

AB - The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.

KW - Behavioral analysis

KW - Graph mining

KW - Malware

KW - Mirai

KW - Syntactic analysis

KW - System call dependency graph

KW - Yara

UR - http://www.scopus.com/inward/record.url?scp=85059607320&partnerID=8YFLogxK

U2 - 10.1109/ISSRE.2018.00032

DO - 10.1109/ISSRE.2018.00032

M3 - Article in proceeding

AN - SCOPUS:85059607320

SN - 978-1-5386-8322-4

T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE

SP - 224

EP - 235

BT - Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018

A2 - Ghosh, Sudipto

A2 - Cukic, Bojan

A2 - Poston, Robin

A2 - Natella, Roberto

A2 - Laranjeiro, Nuno

PB - IEEE Computer Society Press

T2 - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018

Y2 - 15 October 2018 through 18 October 2018

ER -

Ben Said N, Biondi F, Bontchev V, Decourbe O, Given-Wilson T, Legay A et al. Detection of Mirai by Syntactic and Behavioral Analysis. I Ghosh S, Cukic B, Poston R, Natella R, Laranjeiro N, red., Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018. IEEE Computer Society Press. 2018. s. 224-235. 8539084. (Proceedings - International Symposium on Software Reliability Engineering, ISSRE, Bind 2018-October). doi: 10.1109/ISSRE.2018.00032

Detection of Mirai by Syntactic and Behavioral Analysis

Abstract

Konference

Adgang til dokumentet

AUB Link

Andre filer og links

Fingeraftryk

Citationsformater