Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment
Article first published online: 21 MAR 2013
Copyright © 2013 John Wiley & Sons, Ltd.
Security and Communication Networks
Volume 7, Issue 3, pages 626–640, March 2014
How to Cite
Lin, Y.-D., Shih, T.-B., Wu, Y.-S. and Lai, Y.-C. (2014), Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment. Security Comm. Networks, 7: 626–640. doi: 10.1002/sec.764
- Issue published online: 19 FEB 2014
- Article first published online: 21 MAR 2013
- Manuscript Accepted: 4 FEB 2013
- Manuscript Revised: 30 JAN 2013
- Manuscript Received: 23 OCT 2012
- dynamic analysis;
- transparent network;
Dynamic analysis is typically performed in a closed network environment to prevent the malware under analysis from attacking machines on the Internet. However, many of today's malwares require Internet connectivity to operate and to be thoroughly analyzed in a closed network environment. We propose a secure and transparent network environment that allows the malware in a dynamic analysis environment to have seemingly unrestricted Internet access in a secure manner. Our environment transparently dispatches malicious network traffic to compatible decoys while allowing harmless control traffic to have Internet access. We use 12 real-world malware samples, which involve Internet connections, to evaluate the effectiveness of the proposed environment. The evaluation shows that the proposed environment can allow malware to exhibit more network activities than a closed network environment and can even outperform the baseline open network environment in some cases. In the meantime, Internet security is maintained by the dispatching of attack and propagation traffic to decoys inside the analysis environment. Copyright © 2013 John Wiley & Sons, Ltd.