Detection of Mirai by Syntactic and Behavioral Analysis

Najah Ben Said; Fabrizio Biondi; Vesselin Bontchev; Olivier Decourbe; Thomas Given-Wilson; Axel Legay; Jean Quilbeuf

doi:10.1109/ISSRE.2018.00032

Detection of Mirai by Syntactic and Behavioral Analysis

Najah Ben Said, Fabrizio Biondi, Vesselin Bontchev, Olivier Decourbe, Thomas Given-Wilson, Axel Legay, Jean Quilbeuf

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

16 Citations (Scopus)

Abstract

The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.

Original language	English
Title of host publication	Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018
Editors	Sudipto Ghosh, Bojan Cukic, Robin Poston, Roberto Natella, Nuno Laranjeiro
Number of pages	12
Publisher	IEEE Computer Society Press
Publication date	16 Nov 2018
Pages	224-235
Article number	8539084
ISBN (Print)	978-1-5386-8322-4
ISBN (Electronic)	978-1-5386-8321-7
DOIs	https://doi.org/10.1109/ISSRE.2018.00032
Publication status	Published - 16 Nov 2018
Event	29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018 - Memphis, United States Duration: 15 Oct 2018 → 18 Oct 2018

Conference

Conference	29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018
Country/Territory	United States
City	Memphis
Period	15/10/2018 → 18/10/2018
Sponsor	FedEx, Google, IEEE Computer Society, IEEE Reliability Society, Nokia

Series	Proceedings - International Symposium on Software Reliability Engineering, ISSRE
Volume	2018-October
ISSN	1071-9458

Keywords

Behavioral analysis
Graph mining
Malware
Mirai
Syntactic analysis
System call dependency graph
Yara

Access to Document

10.1109/ISSRE.2018.00032

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

Ben Said, N., Biondi, F., Bontchev, V., Decourbe, O., Given-Wilson, T., Legay, A., & Quilbeuf, J. (2018). Detection of Mirai by Syntactic and Behavioral Analysis. In S. Ghosh, B. Cukic, R. Poston, R. Natella, & N. Laranjeiro (Eds.), Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018 (pp. 224-235). Article 8539084 IEEE Computer Society Press. https://doi.org/10.1109/ISSRE.2018.00032

Ben Said, Najah ; Biondi, Fabrizio ; Bontchev, Vesselin et al. / Detection of Mirai by Syntactic and Behavioral Analysis. Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018. editor / Sudipto Ghosh ; Bojan Cukic ; Robin Poston ; Roberto Natella ; Nuno Laranjeiro. IEEE Computer Society Press, 2018. pp. 224-235 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE, Vol. 2018-October).

@inproceedings{34d759181ed1443c8ca0bdb6390cd283,

title = "Detection of Mirai by Syntactic and Behavioral Analysis",

abstract = "The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.",

keywords = "Behavioral analysis, Graph mining, Malware, Mirai, Syntactic analysis, System call dependency graph, Yara",

author = "{Ben Said}, Najah and Fabrizio Biondi and Vesselin Bontchev and Olivier Decourbe and Thomas Given-Wilson and Axel Legay and Jean Quilbeuf",

year = "2018",

month = nov,

day = "16",

doi = "10.1109/ISSRE.2018.00032",

language = "English",

isbn = "978-1-5386-8322-4",

series = "Proceedings - International Symposium on Software Reliability Engineering, ISSRE",

pages = "224--235",

editor = "Sudipto Ghosh and Bojan Cukic and Robin Poston and Roberto Natella and Nuno Laranjeiro",

booktitle = "Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018",

publisher = "IEEE Computer Society Press",

address = "United States",

note = "29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018 ; Conference date: 15-10-2018 Through 18-10-2018",

}

Ben Said, N, Biondi, F, Bontchev, V, Decourbe, O, Given-Wilson, T, Legay, A & Quilbeuf, J 2018, Detection of Mirai by Syntactic and Behavioral Analysis. in S Ghosh, B Cukic, R Poston, R Natella & N Laranjeiro (eds), Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018., 8539084, IEEE Computer Society Press, Proceedings - International Symposium on Software Reliability Engineering, ISSRE, vol. 2018-October, pp. 224-235, 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018, Memphis, United States, 15/10/2018. https://doi.org/10.1109/ISSRE.2018.00032

Detection of Mirai by Syntactic and Behavioral Analysis. / Ben Said, Najah; Biondi, Fabrizio; Bontchev, Vesselin et al.
Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018. ed. / Sudipto Ghosh; Bojan Cukic; Robin Poston; Roberto Natella; Nuno Laranjeiro. IEEE Computer Society Press, 2018. p. 224-235 8539084 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE, Vol. 2018-October).

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

TY - GEN

T1 - Detection of Mirai by Syntactic and Behavioral Analysis

AU - Ben Said, Najah

AU - Biondi, Fabrizio

AU - Bontchev, Vesselin

AU - Decourbe, Olivier

AU - Given-Wilson, Thomas

AU - Legay, Axel

AU - Quilbeuf, Jean

PY - 2018/11/16

Y1 - 2018/11/16

N2 - The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.

AB - The largest botnet distributed denial of service attacks in history have been executed by devices controlled by the Mirai botnet trojan. To prevent Mirai from spreading, this paper presents and evaluates techniques to classify binary samples as Mirai based on their syntactic and behavioral properties. Syntactic malware detection is shown to have a good detection rate and no false positives, but to be very easy to circumvent. Behavioral malware detection is resistant to simple obfuscation and has better detection rate than syntactic detection, while keeping false positives to zero. This paper demonstrates these results, and concludes by showing how to combine syntactic and behavioral analysis techniques for the detection of Mirai.

KW - Behavioral analysis

KW - Graph mining

KW - Malware

KW - Mirai

KW - Syntactic analysis

KW - System call dependency graph

KW - Yara

UR - http://www.scopus.com/inward/record.url?scp=85059607320&partnerID=8YFLogxK

U2 - 10.1109/ISSRE.2018.00032

DO - 10.1109/ISSRE.2018.00032

M3 - Article in proceeding

AN - SCOPUS:85059607320

SN - 978-1-5386-8322-4

T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE

SP - 224

EP - 235

BT - Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018

A2 - Ghosh, Sudipto

A2 - Cukic, Bojan

A2 - Poston, Robin

A2 - Natella, Roberto

A2 - Laranjeiro, Nuno

PB - IEEE Computer Society Press

T2 - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018

Y2 - 15 October 2018 through 18 October 2018

ER -

Ben Said N, Biondi F, Bontchev V, Decourbe O, Given-Wilson T, Legay A et al. Detection of Mirai by Syntactic and Behavioral Analysis. In Ghosh S, Cukic B, Poston R, Natella R, Laranjeiro N, editors, Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018. IEEE Computer Society Press. 2018. p. 224-235. 8539084. (Proceedings - International Symposium on Software Reliability Engineering, ISSRE, Vol. 2018-October). doi: 10.1109/ISSRE.2018.00032

Detection of Mirai by Syntactic and Behavioral Analysis

Abstract

Conference

Keywords

Access to Document

AUB Link

Other files and links

Fingerprint

Cite this