Ph.D. Proposal by Terry Nelms

Primary tabs

Title: Detection and Annotation of Malware Downloads and Infections Through Deep Packet Inspection

Terry Nelms
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Thursday, December 11, 2014
Time: 2:00 PM - 4:00 PM EST
Location: Klaus 3126 (GTISC war room)


Dr. Mustaque Ahamad (Advisor, School of Computer Science, Georgia Tech)
Dr. Roberto Perdisci (Co-Advisor, Dept. of Computer Science, University of Georgia and School of Computer Science, Georgia Tech)
Dr. Wenke Lee (School of Computer Science, Georgia Tech)
Dr. Manos Antonakakis (School of Electrical and Computer Engineering, Georgia Tech)
Dr. JR Rao (External, Director, Security Research, IBM Research)


Malware continues to be a significant threat to Internet security despite all the resources allocated to combat it.  It is a critical component in many of the most costly attacks on organizations such as information stealing and extortion (ransomware).  The majority of modern malware infections occur through the browser.  The infection starts with a malware download that is the result of a social engineering or drive-by attack.  After execution the malware communicates over the network to a command and control (C&C) server for the purpose of monetizing (e.g., information stealing) the infection.

Our research focus is on network behavioral approaches for detecting and annotating malware downloads and their execution using deep packet inspection (DPI).  Modern detection systems target the exploit and executable, but provide little context as to how and why the user downloaded malware.  To answer these questions we demonstrate how to reconstruct the download path by automatically tracing back and annotating the sequence of events (e.g., visited web pages) preceding malware downloads to highlight how users reach attack pages on the web.  The difficulty of the trace back is due to the complexity of today’s browsers and how they generate HTTP requests from javascript and plug-ins.  We show how the annotated download paths can be leveraged to better understand current attack trends and develop more effective defenses.

Successful attacks result in infection through the execution of the downloaded malware.  Detecting the infection on the network can be difficult because the domains and IP addresses used by malware change often in order to stay ahead of blacklists.  However, the structure of the communication (i.e., language) between the malware and the C&C server remains constant for longer periods of time because it is more difficult to change.  Leveraging this fact, we describe the concepts necessary for learning malware languages to detect and annotate infected hosts.


  • Workflow Status:Published
  • Created By:Danielle Ramirez
  • Created:12/05/2014
  • Modified By:Fletcher Moore
  • Modified:10/07/2016


Target Audience