Eventpad: Rapid malware analysis and reverse engineering using visual analytics

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

109 Downloads (Pure)

Uittreksel

Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.

Originele taal-2Engels
Titel2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018
RedacteurenStoney Trent, Jorn Kohlhammer, Graig Sauer, Robert Gove, Daniel Best, Celeste Lyn Paul, Nicolas Prigent, Diane Staheli
UitgeverijInstitute of Electrical and Electronics Engineers
Aantal pagina's8
ISBN van elektronische versie9781538681947
DOI's
StatusGepubliceerd - 9 mei 2019
Evenement2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018 - Hotel Estrel, Berlin, Duitsland
Duur: 22 okt 2018 → …
https://vizsec.org/vizsec2018/#cfp

Congres

Congres2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018
Verkorte titelVizSec
LandDuitsland
StadBerlin
Periode22/10/18 → …
Internet adres

Vingerafdruk

Reverse engineering
Data visualization
Data reduction
Agglomeration
Personnel
Malware

Citeer dit

Cappers, B. C. M., Meessen, P. N., Etalle, S., & Van Wijk, J. J. (2019). Eventpad: Rapid malware analysis and reverse engineering using visual analytics. In S. Trent, J. Kohlhammer, G. Sauer, R. Gove, D. Best, C. L. Paul, N. Prigent, ... D. Staheli (editors), 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018 [8709230] Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/VIZSEC.2018.8709230
Cappers, Bram C.M. ; Meessen, Paulus N. ; Etalle, Sandro ; Van Wijk, Jarke J. / Eventpad : Rapid malware analysis and reverse engineering using visual analytics. 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018. redacteur / Stoney Trent ; Jorn Kohlhammer ; Graig Sauer ; Robert Gove ; Daniel Best ; Celeste Lyn Paul ; Nicolas Prigent ; Diane Staheli. Institute of Electrical and Electronics Engineers, 2019.
@inproceedings{0ef5a0009e13419f842822387eabdb1d,
title = "Eventpad: Rapid malware analysis and reverse engineering using visual analytics",
abstract = "Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.",
keywords = "Human-centered computing, Security, Software and application security, Software reverse engineering, Visual analytics, Visualization, Visualization application domains",
author = "Cappers, {Bram C.M.} and Meessen, {Paulus N.} and Sandro Etalle and {Van Wijk}, {Jarke J.}",
year = "2019",
month = "5",
day = "9",
doi = "10.1109/VIZSEC.2018.8709230",
language = "English",
editor = "Stoney Trent and Jorn Kohlhammer and Graig Sauer and Robert Gove and Daniel Best and Paul, {Celeste Lyn} and Nicolas Prigent and Diane Staheli",
booktitle = "2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018",
publisher = "Institute of Electrical and Electronics Engineers",
address = "United States",

}

Cappers, BCM, Meessen, PN, Etalle, S & Van Wijk, JJ 2019, Eventpad: Rapid malware analysis and reverse engineering using visual analytics. in S Trent, J Kohlhammer, G Sauer, R Gove, D Best, CL Paul, N Prigent & D Staheli (redactie), 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018., 8709230, Institute of Electrical and Electronics Engineers, 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018, Berlin, Duitsland, 22/10/18. https://doi.org/10.1109/VIZSEC.2018.8709230

Eventpad : Rapid malware analysis and reverse engineering using visual analytics. / Cappers, Bram C.M.; Meessen, Paulus N.; Etalle, Sandro; Van Wijk, Jarke J.

2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018. redactie / Stoney Trent; Jorn Kohlhammer; Graig Sauer; Robert Gove; Daniel Best; Celeste Lyn Paul; Nicolas Prigent; Diane Staheli. Institute of Electrical and Electronics Engineers, 2019. 8709230.

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

TY - GEN

T1 - Eventpad

T2 - Rapid malware analysis and reverse engineering using visual analytics

AU - Cappers, Bram C.M.

AU - Meessen, Paulus N.

AU - Etalle, Sandro

AU - Van Wijk, Jarke J.

PY - 2019/5/9

Y1 - 2019/5/9

N2 - Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.

AB - Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.

KW - Human-centered computing

KW - Security

KW - Software and application security

KW - Software reverse engineering

KW - Visual analytics

KW - Visualization

KW - Visualization application domains

UR - http://www.scopus.com/inward/record.url?scp=85066414322&partnerID=8YFLogxK

U2 - 10.1109/VIZSEC.2018.8709230

DO - 10.1109/VIZSEC.2018.8709230

M3 - Conference contribution

AN - SCOPUS:85066414322

BT - 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018

A2 - Trent, Stoney

A2 - Kohlhammer, Jorn

A2 - Sauer, Graig

A2 - Gove, Robert

A2 - Best, Daniel

A2 - Paul, Celeste Lyn

A2 - Prigent, Nicolas

A2 - Staheli, Diane

PB - Institute of Electrical and Electronics Engineers

ER -

Cappers BCM, Meessen PN, Etalle S, Van Wijk JJ. Eventpad: Rapid malware analysis and reverse engineering using visual analytics. In Trent S, Kohlhammer J, Sauer G, Gove R, Best D, Paul CL, Prigent N, Staheli D, redacteurs, 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018. Institute of Electrical and Electronics Engineers. 2019. 8709230 https://doi.org/10.1109/VIZSEC.2018.8709230