Publication Details
Title: GQ: Practical Containment for Measuring Modern Malware Systems
Author: C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson
Group: ICSI Technical Reports
Date: May 2011
PDF: http://www.icsi.berkeley.edu/pubs/techreports/TR-11-002.pdf
Overview:
Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints, however, demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution “farm” that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ’s architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grant CNS-0433702 (“CCIED: Collaborative Center for Internet Epidemiology and Defenses”). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.
Bibliographic Information:
ICSI Technical Report TR-11-002
Bibliographic Reference:
C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson. GQ: Practical Containment for Measuring Modern Malware Systems. ICSI Technical Report TR-11-002, May 2011
Author: C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson
Group: ICSI Technical Reports
Date: May 2011
PDF: http://www.icsi.berkeley.edu/pubs/techreports/TR-11-002.pdf
Overview:
Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints, however, demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution “farm” that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ’s architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grant CNS-0433702 (“CCIED: Collaborative Center for Internet Epidemiology and Defenses”). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.
Bibliographic Information:
ICSI Technical Report TR-11-002
Bibliographic Reference:
C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson. GQ: Practical Containment for Measuring Modern Malware Systems. ICSI Technical Report TR-11-002, May 2011