Home‎ > ‎

89-438 Seminar in Malware communication and detection

Department of computer science, Bar Ilan University 
Lecturer: Prof. Amir Herzberg

Comments and suggestions welcome!

In this seminar, we will discuss bleeding-edge research in network security, focusing on malware, and specifically,  bot detection and covert and other malware communication channels. The seminar is mainly targeted for the graduate students in the BIU-CS Network Security Group, and to facilitate our research in these areas; some of the meetings may be dedicated to presentations by students in the group of their research to be presented in conferences. Other students and guests are welcome, however, kindly requested to check with the lecturer in advance, to ensure the room and seminar are not too crowded. All are welcome to join and use the mailing-list for announcements and discussions. 

Sessions and requirements: we meet weekly, Thursdays 8:15-9:50am, in room 8, 1st floor, in our building (408). Each student will lead (at least) one session, where she will present one topic (usually, one paper). All students are expected to read all papers before the session; the lead-student is expected to read the paper in-depth, be ready to answer any questions, present examples, raise issue, etc. ; before the seminar, the lead student should send me and the mailing list any extra material she prepared to help others, and possibly update it after the seminar; I'll post it here.  The papers are available by following the links in the schedule below (some work only from within the university network).

Prerequisites: knowledge in networking (at least 89-350) and in security/crypto (at least one of 89-690, 89-550, 89-656). 
Additional recommened reading (overview papers): 
Barford, Paul, and Vinod Yegneswaran. "An inside look at botnets." Malware Detection (2007): 171-191. Discusses mechanims of few bots (unfortunately, a bit outdated, but still useful imho)
A very gentle, basic, short introduction to malware: Sharp, Robin. "An Introduction to Malware." (2007; updated 2012)

Note: schedule is subject to change, in particular as we may find more relevant papers, etc.; and students are also encouraged to identify and suggest other papers (esp., papers related to their own research). I will not change a paper less than three weeks in advance, to give student sufficient time to prepare.

Students registered to the course that did not allocate a week yet, are requested to do this asap; if you want to cancel please let me know asap since some students asked to join but can't since there is no room!! Specifically: Tal Shmueli, Alexei Weil, Priel Levy, Ofer Cohen. Please notice, there are actually only 4 available lecture slots in the term - one extra student was registered by an administrative mistake (not mine this time!). So, we'll have to see; maybe one student will cancel, maybe I'll have to force one to cancel, and maybe we'll simply have an extra week after the term ends (in practice, we'll probably continue after the term anyway).

 Date Topic (note: when time won't suffice, we may extend to next lecture and adjust schedule as needed)
 Student Comments/links
 25/10Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts
Coskun et al (ACSAC 2010), http://scholar.google.com/scholar?cluster=1687354734160262002&hl=en&as_sdt=0,5
Haya Shulman
 Haya's notes
 1/11    BotGrep: finding P2P bots with structured graph analysis, by Nagaraja (Usenix 2010)
Rachel Ginzburg
 Racheli's notes
 8/11Covert Communication Despite Traffic Data Retention, by Danezis.
Security Protocols 2011, http://scholar.google.com/scholar?cluster=16120105954310494144&hl=en&as_sdt=0,5
Eldan Cohen
 Eldan's notes
 15/11Inference and analysis of formal models of botnet command and control protocols, Yuan Cho et al (CCS 2010)
Shmuel Blitz
Shmuel's notes
 22/11Detecting Stealthy P2P Botnets Using Statistical Traffic Fingerprints, Zhang et al (DSN 2011)
Michael Goberman
 Michael's notes
 29/11Stegobot: A covert social network botnet,
S Nagaraja, A Houmansadr, P Piyawongwisal…,Information Hiding, 2011
Nethanel Gelanter (to be added...)
 6/12Exploiting Temporal Persistence to Detect Covert Botnet Channels, Giroire et al. (RAID 2009)
Yossi Gilad Yossi's notes
 13/12no meeting
 20/12Jackstraws: Picking command and control connections from bot traffic, Jacob et al (Usenix 2011)
Ronen Slavin Ronen's notes    
 27/12BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection
Gu et al (Usenix 2008), http://scholar.google.com/scholar?cluster=8177568672001260026&hl=en&as_sdt=0,5
Alexey Weyl
 Alosha's notes
 10/1Detection and classification of different botnet C&C channels, Fedynyshyn et al (Autonomic and Trusted Computing 2011), http://scholar.google.com/scholar?cluster=12556941934522786792&hl=en&as_sdt=0,5
Priel Tiferet
 Priel's notes
 17/1 Bothunter: Detecting malware infection through ids-driven dialog correlation, Gu et al (Usenix 2007)
Tal Shmueli

(to be added...)
 16/1 6pmBoosting the scalability of botnet detection using adaptive traffic sampling, Zhang et al (CCS 2011)
Asaf CohenAsaf's notes
 More papers:
Automatically generating models for botnet detection, Wurzinger (Esorics 2009)
 Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces
Perdisci et al (Usenix 2010), http://scholar.google.com/scholar?cluster=7145282256037699243&hl=en&as_sdt=0,5
 Traffic aggregation for malware detection, Yen et al (DIMVA 2008)
  Active botnet probing to identify obscure command and control channels, Gu et al (ACSAC 2009)
  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, Antonakakis et al. (Usenix 2012)