Studying network traffic going to suspicious domains could indicate to security administrators that their network is infected with malware – months before they might capture a sample of the invasive malware, says a new study out of the Georgia Institute of Technology.
The researchers behind the study claim their findings point to a paradigm shift in the strategies IT admins will need to use in the future to detect network security breaches quicker than they are currently able.
“Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered,” said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “These findings show that we need to fundamentally change the way we think about network defense.”
The findings take a look at the way malware communicates with their command-and-control centers. This network traffic can then be detected and analyzed. Thus, admins can get an earlier indication of malware and put in place the defenses needed to stop it, or at least reduce its impact.
While legacy defenses seek to identify malware samples once it has already invaded a network, the time lag between infection and detection gives an advantage to the malware authors – the time they need to launch their payloads and gather data.
“What we need to do is minimize the amount of time between the compromise and the detection event,” Antonakakis said.
The research was presented on May 24 at the 38th IEEE Security and Privacy Symposium in San Jose, Calif., supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency.