PhD Defense by Terry Nelms
Ph.D. Thesis Defense Announcement
Title: Improving Detection and Annotation of Malware Downloads and Infections Through Deep Packet Inspection
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Friday, December 4, 2015
Time: 12:00 PM - 2:00 PM EST
Location: Klaus 3126 (GTISC war room)
Dr. Mustaque Ahamad (Advisor, School of Computer Science, Georgia Tech) Dr. Roberto Perdisci (Co-Advisor, Dept. of Computer Science, University of Georgia and School of Computer Science, Georgia Tech) Dr. Manos Antonakakis (School of Electrical and Computer Engineering, Georgia Tech) Dr. Wenke Lee (School of Computer Science, Georgia Tech) Dr. JR Rao (External, Director, Security Research, IBM Research)
Malware continues to be a significant threat to Internet security despite all the resources allocated to combat it. It is a critical component in many of the most costly attacks on organizations such as information stealing and extortion (ransomware). The majority of modern malware infections occur through the browser. The infection starts with a malware download that is the result of a social engineering or drive-by attack. After execution the malware communicates over the network to a command and control (C&C) server for the purpose of monetizing (e.g., information stealing) the infection.
Successful attacks result in infection through the execution of the downloaded malware. Detecting the infection on the network can be difficult because the domains and IP addresses used by malware change often in order to stay ahead of blacklists. However, the structure of the communication (i.e., language) between the malware and the C&C server remains constant for longer periods of time because it is more difficult to change. Leveraging this fact, we describe the concepts necessary for learning malware languages to detect and annotate infected hosts.