GQ: Practical Containment for Measuring Modern Malware Systems

TitleGQ: Practical Containment for Measuring Modern Malware Systems
Publication TypeConference Paper
Year of Publication2011
AuthorsKreibich, C., Weaver N., Kanich C., Cui W., & Paxson V.
Other Numbers3221

Measurement and analysis of modern malware systems such as botnetsrelies crucially on execution of specimens in a setting that enablesthem to communicate with other systems across the Internet.Ethical, legal, and technical constraints however demand containmentof resulting network activity in order to prevent the malwarefrom harming others while still ensuring that it exhibits its inherentbehavior. Current best practices in this space are sorely lacking:measurement researchers often treat containment superficially,sometimes ignoring it altogether. In this paper we present GQ,a malware execution “farm” that uses explicit containment primitivesto enable analysts to develop containment policies naturally,iteratively, and safely. We discuss GQ’s architecture and implementation,our methodology for developing containment policies,and our experiences gathered from six years of development andoperation of the system.


This work has spanned many years, and would not have been possiblewithout the support of many parties. We wish to thank theU.S. Department of Energy’s ESnet, Hewlett/Packard, Microsoft,and VMware for their generous in-kind donations used to constructand operate GQ. We particularly wish to thank Randy Bush, EliDart, Chris Grier, Craig Leres, Stefan Savage, Helen Wang, andour colleagues at the Lawrence Berkeley National Laboratory andthe University of California, San Diego, for assistance and feedbackduring GQ’s five years of operation. This work was supportedin part by National Science Foundation grants NSF-0433702, CNS-0831535, and CNS-0905631, and by the Office of Naval ResearchMURI grant N000140911081. Any opinions, findings, and conclusionsor recommendations expressed in this material are those ofthe authors and do not necessarily reflect the views of the funders.

Bibliographic Notes

Proceedings of the 2011 Internet Measurement Conference (IMC 2011), Berlin, Germany.

Abbreviated Authors

C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings