This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented at 14:00 in the Small Talks room on Friday 6 October.
Zhanhao Chen, Chao Lei, Royce (Chienhua) Lu & Daiping Liu (Palo Alto Networks)
Traditional network security solutions often focus on blocking malicious URLs to prevent network attacks. However, malware can exploit various legitimate network services for penetration activities, posing a new challenge for detection. For example, attackers could host and download malicious resources from public storage services like github.com and malware usually checks victims' IP information through public services like ip138.com. Although visiting any of these legitimate hostnames is common and benign, visiting a specific combination of them within a short period could be unlikely for legitimate usage but typical malware behaviours. In this presentation, we will introduce how we identify the highly abused legitimate network entities (hostname, IP, URL) by malware and generate combinations of them as malicious network signatures. These signatures can be employed by endpoint detection, firewalls, XDR and SIEM to detect malware traffic in real-world network flows.
Our approach extracts benign network entities from various malware analysis reports, including malware’s dynamic analysis (sandbox) reports and security blogs, with the aid of Large Language Models (LLM). With these entities, the system profiles their relationship and leverages a graph expander to generate candidate signatures. Our method achieves high efficiency compared to the brute-force methods. The evaluation section presents high-level statistics on the extracted signatures and valuable insights into malware network traffic characteristics.
In the case study section, we showcase selected high-quality signatures to illustrate how malware abuses benign services and how the signatures capture typical malware behaviours. Real-world campaigns captured by these signatures are presented, highlighting how these signatures aid in incident response. We have detected several campaigns in the wild, including XorDDos, Pykspa (which spreads via Skype), and financial fraud APKs disguised as legitimate apps, among others.
We are enthusiastic about sharing our source code with the community to facilitate further dissemination of our research and findings. This presentation offers a comprehensive understanding of our methodology and its potential impact on enhancing network security against malware threats.
 |
Zhanhao Chen Zhanhao is Principal Researcher at Palo Alto Networks, working in the DNS security research team, where he works on threat hunting from DNS traffic and developing advanced DNS security features. He has published many Unit42 DNS security blog posts, one of the key responsibilities Zhanhao has taken on is threat hunting from DNS traffic.
|
 |
Chao Lei Chao Lei is a security researcher with 5 years of experience, Chao specializes in malware reverse engineering, botnet tracking, vulnerability research and threat intelligence. Chao is an Offensive Security Certified Professional (OSCP) and was a team member of CTF team of JHU information security institution.
|
 |
Royce (Chien Hua) Lu Royce Lu is a security researcher at Palo Alto Networks, his areas of interest include kernel security, vulnerability attack and defence, machine learning, and cloud security. He has published research results at top international security conferences such as BlackHat and Virus Bulletin. Royce is also a Boston marathon runner.
|
 |
Daiping Liu A senior manager at Palo Alto Networks, Daiping manages the DNS security research team to produce DNS abuse analysis and automatic threat detection. He received a Ph.D. in computer engineering from the University of Delaware. His research interests are security, networking, cyber-physical systems and OS. |
Back to VB2023 conference page
