The findings of a five-year study suggest that analysis of network traffic enables the detection of malware several weeks or even months earlier than what is possible now.
These types of malicious software infect computers, smartphones and tablets to extract sensitive or personal information. This information is typically used to extort money or intellectual property or to block users from accessing their devices, only to offer renewed access for a ransom.Monitoring network traffic detects malware earlier than other methods.Click To Tweet
The fight against malware has become more and more arduous as malicious developers use obfuscation techniques that make detection of these programs difficult.
Malware often goes unnoticed for days or weeks, and when detected by the average antivirus, it’s often too late.
Network Traffic for Early Detection of Malware Cyber Attacks
Malware typically needs to communicate back with control servers from which they were sent and, in doing so, create network traffic.
An international team of researchers found that analyzing network traffic going to suspicious domains allows for malware detection in a timely manner.
The research was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory, and the Defense Advanced Research Projects Agency.
A paper entitled “A Lustrum of Malware Network Communication: Evolution and Insights,” was presented last week at the 38th IEEE Security and Privacy Symposium in San Jose, CA.
Researchers from the Georgia Institute of Technology, the IMDEA Software Institute in Spain, and EURECOM in France conducted a five-year network traffic survey from a large U.S. Internet service provider, including more than 5 billion network events.
They studied DNS requests made by nearly 27 million malware samples, and also examined the timing for the re-registration of expired domains (or the preferred launch sites for cyber attacks.)
The team used a filtering system to separate benign from malicious network traffic and found that 300,000 malware domains were active for at least two weeks before being identified as a source of malware.
Toward new Cyber Defense Strategies
“The choke point is the network traffic, and that’s where this battle should be fought,” said Manos Antonakakis, an assistant professor at Georgia Institute of Technology and co-author of the paper, “This study provides a fundamental observation of how the next generation of defense mechanisms should be designed.”
The study’s findings provide the groundwork for the development of more efficient strategies for cyber defense.
As in the case of biology diseases where the early detection of symptoms increase the chances of healing, an early detection of malicious traffic enables a quicker and more efficient response.