Automatically classifying unknown bots by the register messages

The ever-increasing number of malware/botnet samples demands efficient and scalable classification solution for better detection and prevention. C&C protocol based classification has proved to be effective and accurate. However, it’s not trivial to acquire new samples’ detailed C&C protocol, which decreases the scalability of C&C based classification. In this talk we present a simplified classification solution, which is based on the C&C register message. Similarities in semantics/structure of register messages are studied and used. Because of the easier acquisition of register messages, we think our solution is easy to automate and has better scalability. The implementation details and evaluation result would be talked.

presentation videoicon
Print Friendly
Ya Liu
Malware analysist, botnet researcher @ Network Security Research Lab, Qihoo 360