GQ: Practical Containment for Measuring Modern Malware Systems
Title | GQ: Practical Containment for Measuring Modern Malware Systems |
Publication Type | Technical Report |
Year of Publication | 2011 |
Authors | Kreibich, C., Weaver N., Kanich C., Cui W., & Paxson V. |
Other Numbers | 3133 |
Abstract | Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints, however, demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution farm that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQs architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system. |
Acknowledgment | This work was partially supported by funding provided to ICSI through National Science Foundation grant CNS-0433702 (CCIED: Collaborative Center for Internet Epidemiology and Defenses). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. |
URL | http://www.icsi.berkeley.edu/pubs/techreports/TR-11-002.pdf |
Bibliographic Notes | ICSI Technical Report TR-11-002 |
Abbreviated Authors | C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Technical Report |