Malware invaders need to communicate over the internet through your computer. This fact may seem scary since unwanted network traffic may show up on your computer, but this is actually really good news. Researchers noticed this trail and were determined to see if they could analyze the malware residue.
Using present virus detectors can, in most cases, rid your precious computer of any dangers. But by the time the virus is detected, it is already too late since the trail of suspicious domains have been active for the past few weeks or even months prior to the termination. This led to Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology, severely rethinking network defense systems.
Before discussing the new defense system, one would need to learn about traditional techniques for detecting malware. These classical approaches identify suspicious and insecure domains. They rely upon samples which slows the process down but without the samples, the whole detection and attack system would not work. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis mentioned. This statement may seem obvious and simple to achieve, but it is a very hard to task since their were thought to be very few clues left by viruses. Now, researchers have found the trail.
In his study, Antonakakis and colleagues analyzed upwards of five billion network events for about five years. They also examined domain name server requests made by approximately 27 million malware samples. They found that traditional strategies detected malwares a few months after the fact. Malware infected computers were also found to leave a residue of various domain name server requests - in other words, the malwares left a trail of websites.
The first step was to create a filtration system to separate benign network traffic from malicious traffic in the U.S internet service provider (ISP) data. The team classified malwares into different families, they also separated potentially unwanted programs (PUPs) and malicious softwares. Antonakakis related the classifications to the discovery and classification of microorganisms that make humans and animals ill. "You know you are sick when you have a fever, before you know exactly what's causing it," he noted. "The first thing the adversary does is set up a presence on the internet, and that first signal can indicate an infection. We should try to observe that symptom first on the network because if we wait to see the malware sample, we are almost certainly allowing a major infection to develop." In total, the researchers have discovered an astounding 300,000 different malwares to date.
Along with discovering different malwares, the team discovered a new way to identify possible malwares through network traffic. "The choke point is the network traffic, and that's where this battle should be fought," claimed Antonakakis. "This study provides a fundamental observation of how the next generation of defense mechanisms should be designed. As more complicated attacks come into being, we will have to become smarter at detecting them earlier." But the team is most proud of their initiative considering they performed the world’s largest effort to stop viruses.