Malware classification and modeling

Network Security

Current interests include analysis of Internet-scale threats. We've undertaken a number of studies to assess the prevalence of botnets and various malware delivery mechanisms (drive-by downloads). We have also examined the effectiveness of network telescopes for a variety of tasks, particularly to better understand their capabilities and limits with respect to malware detection and containment.

Malware studies

▪Sam Small, Josh Mason, Fabian Monrose, Niels Provos and Adam Stubblefield. To Catch A Predator: A Natural Language Approach for Eliciting Malicious Payloads. To appear in Proceedings of the 17th USENIX Security Symposium, July, 2008. (PDF)

▪Niels Provos, Panayiotis Mavrommatis, Moheeb Rajab, and Fabian Monrose. All Your iFrames Point to Us. To appear in the Proceedings of the 17th USENIX Security Symposium, July, 2008 (PDF)

▪Moheeb Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis. A Multifaceted Approach to Understanding the Botnet Phenomenon. In proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, October, Brazil, 2006. (PDF) More information on the architecture we used in the IMC paper is provided in Jay Zarfoss' Masters thesis on A Scalable Architecture for Persistent Botnet Tracking, Jan. 26, 2007.

▪Moheeb Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis. My Botnet is Bigger than Yours (Maybe, Better than Yours). In proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April, Boston, 2007. (PDF)

Modeling

▪Moheeb Rajab, Fabian Monrose, Andreas Terzis and Niels Provos. Peeking Through the Cloud: DNS-based Estimation and its Applications In proceedings the 6th Conference on Applied Cryptography and Network Security (ACNS), 2008. (PDF)

▪Moheeb Rajab, Fabian Monrose and Andreas Terzis. Fast and Evasive Attacks: Highlighting the Challenges Ahead. In proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept, Germany, 2006. (PDF)

▪Moheeb Rajab, Fabian Monrose and Andreas Terzis. On the Impact of Dynamic Addressing on Malware Propagation. In Proceedings of the ACM Workshop on Recurring Malware (WORM), Washington D.C., November, 2006.(PDF)

▪Moheeb Rajab, Fabian Monrose and Andreas Terzis. On the effectiveness of Distributed Worm Monitoring. In Proceedings of the 14th USENIX Security Symposium, pages 225-237, Baltimore, August, 2005. (PDF)

▪Moheeb Rajab, Fabian Monrose and Andreas Terzis. Worm Evolution Tracking via Timing Analysis. In ACM Workshop on Recurring Malware (WORM), pages 52-59, Washington D.C., November, 2005. (PDF)

BGP

◦Sophie Qiu, Patrick McDaniel, and Fabian Monrose. Toward Valley-Free Inter-domain Routing. In Proceedings of the IEEE Conference on Communications, June, Scottland, 2007.

◦Sophie Qui, Fabian Monrose, Andreas Terzis, and Patrick McDaniel. Efficient Techniques for Detecting False Origin Advertisements in Inter-domain Routing. In Proceedings of the Second Workshop on Secure Network Protocols (NPSec), November 2006. (PDF)

◦Sophie Qiu, Patrick McDaniel, Fabian Monrose, and Aviel D. Rubin, Characterizing Address Use Structure and Stabillity of Origin Advertizement in Interdomain Routing. In Proceedings of IEEE Symposium on Computers and Communications (ISCC), pages 489-496, June, Italy, 2006. (Supercedes the earlier techreport PDF)

Misc:

◦Bharat Doshi, Antonio De Simone, Sam Small, Fabian Monrose and Andreas Terzis. Large-scale Dynamic Virtual Private Networks for the Global Information Grid. In Proceedings of IEEE Milcom, Atlantic City, October, 2005.

◦S. Kamara, D. Davis, L. Ballard, R. Caudy and F. Monrose. An Extensible Platform for Evaluating Security Protocols. In Proceedings of the 38th IEEE Annual Simulation Symposium (ANSS), pages 204-213, San Deigo, 2005. (PDF). SIMNET is maintained here.