WO2013113532A1 - A method and a system to detect malicious software - Google Patents

Abstract

In the method of the invention said detection of malicious software, or malware, is performed at least by applying security event correlation rules to a network. It is characterised in that it comprises: - capturing malware by means of a honeynet collector; - deploying a virtual network dedicated for each captured malware; - inferring correlation information from captured malware and events collected from execution of said captured malware in each virtual network; and - generating event correlation rules from said inferred correlation information by means or artificial intelligence techniques. The system is arranged to implement the method of the invention.

Description

A method and a system to detect malicious software

Field of the art

The present invention generally relates, in a first aspect, to a method to detect malicious software, said detection of malicious software, or malware, performed at least by applying security event correlation rules to a network and more particularly to a method that comprises capturing malware by means of a honeynet collector, deploying a virtual network dedicated for each captured malware, inferring correlation information from captured malware and events collected from execution of said captured malware in each virtual network and generating event correlation rules from said inferred correlation information by means or artificial intelligence techniques.

A second aspect of the invention relates to a system arranged to implement the method of the first aspect.

Prior State of the Art

Security event correlation has emerged as a powerful intrusion detection tool to improve the understanding of the behavior of complex attacks and thus achive the fastest reaction. Traditional intrusion detection systems (IDS), such as Snort, have been proven to suffer from an overwhelming management: even if recent Snort multi- thread architectures are highly optimized for today's multi-core platforms, many efforts are still needed to break the bottlenecks caused by the performance requirements of current IDSs' packet arriving rate [1]. Additionally, distributed (multi-step) attacks not only trail evidences in centralized system (such as the aforementioned network IDS), but in many other sources (known as sensors) as well, e.g.: host IDSs, web servers, firewalls, and DNS logs, to name a few. For instance, correlation techniques have been successfully used to detect botnets dialog [2] [3] [4].

Security Information and Event Management (SIEM) systems then appear to facilitate the analysis of security events by means of detection, storage, processing, and correlation. SIEM systems are designed to centralize all the security information generated by the sensors deployed on any networking environment. Such a centralization assists in (a) normalizing the collected alerts in a common format, (b) providing a rapid access to centralized log data, (c) performing an efficient analysis of scattered alerts, and also (d) generating correlation alarms whenever it detects several events potentially related to a certain suspicious activity. On the other hand, different Artificial Intelligence (Al) techniques have been applied to optimize intrusion detection especially aimed at dealing with the aforementioned disadvantages [5]. In particular, various Al-based processing techniques are used for IDS security data like Expert Systems [6], Data Mining [7], Statistical Analysis [8], Neural Networks [9], Machine Learning [10] [1 1], and Artificial Immune Systems [12].

However, there are only a few proposals towards the use of successful Al techniques to optimize security event correlation [13]. The vast majority of the presented works encounter the same fundamental problem when studying the event- related attributes and their associations in multi-step attack scenarios, i.e. pre- classification of the knowledge before applying Al. Furthermore, several decisions are crucial when introducing Al into SI EM systems i.e. either to deploy a supervised controlled environment to train previously selected attacks or to directly learn from the real network activity. In this context, honeypots are widely known systems used to trap drive-by download malware by exposing an unprotected vulnerable resource. Apart from this, honeypots are constantly monitored in order to study malware's behaviour. Honeypots are usually located in the perimeter of an organization, usually called DMZ. Some works have used Web crawlers to stimulate honeypots activities [47]. Two or more honeypots form a honeynet, and when analysis tools are used within the honeynet, it is called a honeyfarm. Recently, a new concept, namely "network telescope", appears to further scrutinize large-scale attacks by studying multi-step events occurred in the Internet. For instance, many works presented so far elaborates on the automatic malware's analysis at host end [14] [15] [16] [17]. For example Kapoor et al. [18] present several methods and systems, including honeypots, for unifying threat management, whilst providing flow processing facilities towards pattern recognition. Furthermore Neysstadt et al. [19] propose a reputation system for assisting the unified threat management systems in the detection of intrusions. In some embodiments, honeypots are used to feed that reputation system. By contrast, instead of applying pattern recognition, Feeney et al. [20] utilize factorial hidden Markov models to automatically infer the hierarchical structure of malware's file-type within a probabilistic model.

Finally, main advantages of virtual machines (VM), e.g. the recreation of multiple platforms which coexist into the same computer, allow us to build an inexpensive computer network environment rather than deploying physical computers and networks. To this regard, Jiang and Wang's work [21 ] elaborates on monitoring honeypots using virtualization. In addition, Syversen [22] present a virtual network honeynet approach to clone a certain enterprise network configuration and, in turn, serving as an early detection system. Finally, recent VM monitors include hardware extensions to ensure resilience against anti-VM detection techniques [23], thus increasing the robustness of other simpler network simulators such as Honeyd [24].

Problems with existing solutions

Many research works have addressed the challenge of providing efficient solutions to the security information detection, storage and processing over the last decade. The earliest efforts concentrated on the critical management of heterogeneous (in data and location) alerts in bulk. In this regard, data aggregation schemes [25] [26] [27] were conceived as a palliative for that challenge by reducing the amount of stored events and normalizing audit and log records [28] [29] [30]. As a result, several SI EM software products have been recently developed most in the way of layered security frameworks, whilst providing essential intelligence.

Despite such a centralization and data aggregation, the immense amount of the reported security events is still the main challenge to meet [31] as well as the administrators' role is still overburdened [32] [33] [34] [35]. Moreover, the vast majority of the proposed frameworks [13] [20] [36] are inefficient when dealing with complex multi-step distributed attacks [37]. For instance, depending on where the detection engine is placed on, it will capture some types of behaviours but skip others, e.g. information logged in other devices such as firewalls, routers, web servers, or system logs. Authors in [37] focus on identifying complex, multi-steps attacks by grouping the reported alerts by the IP address and/or destination port within a certain time window. However, these approaches remain incomplete since they do not assure that filtered events will determine a unique multi-step attack. On the other hand, Zhuge et al. [38] successfully extend a honeynet-based approach to extract high level correlation information from attack scenarios, being the attack behaviour acquisition still supervised by human experts (— "Knowledge acquisition is a heavy but necessary task for constructing a practical knowledge base, and it is so complicated that currently we cannot expect the computer to do such job without human supervision" [38]).

Other proposals presented so far focus on collecting as much malicious software as possible in order to study their general behaviour. However, a different strategy should be launched when identifying isolated behaviour, usually tackled by experts as stated before. For instance, Sudaharan et al. [39] introduce a honeynet farm-based approach to automatically combat the attacks learned through a honeynet. Appropriate filters are needed here to determine which actions or data on the honeynet are deemed as an attack. Other works [1 ] apply clustering to filter out related alarms by means of data mining techniques. A major problem underlying these approaches is that sometimes malware behavior evolves unpredictable in order to evade its detection, like new generation botnets do to obfuscate network control messages [40]. Thus, traditional honeypot-based tracking approaches [41] lack of scalability due to such malware evolution.

On the other hand, likewise the classical problems encountered in data mining, the intelligent extraction of correlation rules still deals with runtime overheads in terms of computational power and memory consumption, especially imposed by the application of Al techniques. Indeed, a number of Al techniques have been applied to cyber-attack detection [5], [42], [43], mainly motivated by the continuous evolution of attacks which makes previous solutions invalid to novel, evolved attacks.

Finally, the global aim of an event correlation engine is to find connections among alerts which potentially belong to a certain distributed (or multi-step) attack. By definition, correlations are useful because they can indicate a predictive relationship to be exploited. In this context, event correlation has been extensively addressed on different security-related areas such as network fault diagnostic [44], sensor networks [45] and attack detection [46], but applying multiple strategies. Recently, most academics agree that correlation is much more effective when considering a centralized strategy [32]. However, apart from these very few proposals, the application of intelligent self-learning techniques to the generation of event correlation rules is considered a major challenge.

Description of the Invention

It is necessary to offer an alternative to the state of the art which covers the gaps found therein, particularly related to the lack of proposals which really eliminate the supervision of the security expert in the identification of malware behaviour and the generation of the specific correlation rule which matches that encountered behaviour.

To that end, the present invention provides in a first aspect a method to detect malicious software, said detection of malicious software, or malware, performed at least by applying security event correlation rules to a network.

On the contrary to the known proposals, the method of the invention, in a characteristic manner it comprises: - capturing malware by means of a honeynet collector;

- deploying a virtual network dedicated for each captured malware including a number of virtual devices named VM;

- inferring correlation information from captured malware and events collected from execution of said captured malware at both network and host level in each virtual network; and

- generating event correlation rules from said inferred correlation information by means or artificial intelligence techniques.

Other embodiments of the method of the first aspect of the invention are described according to appended claims 2 to 16 and in a subsequent section related to the detailed description of several embodiments.

A second aspect of the present invention concerns to a system to detect malicious software, said detection of malicious software, or malware, performed at least by applying security event correlation rules to a network.

In the system of the second aspect of the invention, on contrary to the known systems mentioned in the prior state of the art section, and in a characteristic manner it comprises the following elements:

- a honeynet collector in charge of capturing malware, said honeynet collector including at least one honeypot;

- a virtual machine pool in charge of at least building virtual networks wherein each of said virtual networks is dedicated for each captured malware including a number of virtual devices named VM;

- an analyser module in charge of inferring correlation information from captured malware and events collected from execution of said captured malware at both network and host level in each of said virtual networks;

- a learning module in charge of generating event correlation rules from said inferred correlation information by means or artificial intelligence techniques; and

- a central module connected to said honeynet collector, said virtual machine pool, said analyser module and said learning module in charge of coordinating performance between said elements of the system.

Other embodiments of the system of the second aspect of the invention are described according to appended claim 18 and in a subsequent section related to the detailed description of several embodiments. Brief Description of the Drawings

The previous and other advantages and features will be more fully understood from the following detailed description of embodiments, with reference to the attached drawings, which must be considered in an illustrative and non-limiting manner, in which:

Figure 1 shows a general scheme and the context of the method and system of the invention proposed in this document.

Figure 2 shows the main building modules of the system of the second aspect of the invention, according to a possible embodiment.

Figure 3 shows the algorithm followed when capturing malware in the honeynet collector, according to an embodiment of the present invention.

Figure 4 shows an signature-based antivirus scan used to extract the payload information from malware captured in the honeynet collector, according to an embodiment of the present invention.

Figure 5 shows the algorithm followed by the Virtualized Malware Pool used to evaluate the impact of encountered attacks of captured malware, according to an embodiment of the present invention.

Figure 6 shows the flow diagram used to analyse the events reported by the SI EM deployed in each virtual network, according to an embodiment of the present invention.

Figure 7 shows the flow diagram of the generation of the event correlation rules, according to an embodiment of the present invention.

Figure 8 shows a detailed scheme of the system of the second aspect of the invention and the algorithms that affect to each of the elements of said system, according to an embodiment of the present invention.

Detailed Description of Several Embodiments

The present invention focuses on providing an automatic security event correlation subsystem which eliminates the human intervention in both the detection of attacks and the generation of event correlation rules. Principal objectives range from reducing the large number of alerts reported to identify multi-step attack scenarios, to identifying new attack signatures.

First, the subject subsystem provides a network telescope to observe malware's activity. Additionally, the subject telescope is fed with malware captured by a Honeynet. For each malware captured, it is created its own virtual network isolated from the others.

Thus, the correlation engine infers extra information from such alerts finding out connections between them. In general, correlation alerts are triggered based on pre- established directives, i.e. a set of rules. To this regard, correlation directives are generally inefficient without a proper configuration. For instance, the creation of directives is commonly carried out by the system administrator as an expert. Now, the subject subsystem extracts correlation information from the events collected in each virtual network. This subject subsystem automatically generates event correlation rules from the inferred information extracted in each telescope.

It is also provided an additional module for instantiating and managing each telescope by means of network virtualization. This way, the subsystem is capable of analysing malware's executable files and its behaviour based on the events generated.

In yet a further embodiment of the invention, a subsystem for monitoring each network telescope by using a SI EM system is present. The present invention then integrates semi-supervised security event detection and correlation as a whole on a SIEM framework by using artificial intelligence techniques.

For the sake of illustration, Figure 1 depicted the context of the proposal. The present invention is physically located in two main network segments. On one hand, the capture (by a honeynet) of the incoming malware is produced at the demilitarized zone (DMZ) which is publicly exposed. On the other hand, malware analysis and the generation of correlation rules are placed at a separate subnetwork, isolated from the highly protected intranet.

It is the purpose of the intelligent honeynet-based event correlation subsystem, as shown in Figure 2, to first automatically trap and collect malware, and then create an isolated computer network environment afterwards. The key idea is to learn as much information about the collected malware behaviour which serves to automatically generate event correlation rules for a SIEM.

As shown in Figure 2, the honeynet-based correlation subsystem has to manage four main building blocks, i.e. a honeynet-based malware collector (HMC) which compiles the malicious software occurred, an analyser of malware and security events which helps inferring correlation information, a virtual machine-based pool for evaluating the impact of encountered attacks (VMP) and, finally, the correlation rule generation (CRG) which is in charge of automatically creating event correlation rules by means of supervised artificial intelligence techniques. First, the HMC consists of a collection of honeypots aimed at capturing the incoming malicious software. The malware collected is not analysed in this stage but stored in a database in order to be executed afterwards, as depicted in Figure 3. Honeypots are designed to expose vulnerable systems in an unprotected subnetwork to capture drive-by download malware. When the attacker exploits a vulnerability (known or unknown), the systems traps the executable downloaded. In a possible embodiment, it would be possible to use web crawlers to stimulate honeynet's activity. If the hash of the captured malware matches with another previously stored, then the executable is discarded.

Secondly, a vulnerability and signature scan is launched by means of the malware Analyser module which extracts information, as shown in Figure 4, using malware detection methods [32], as follows. Typically, traditional Anti-Virus (AV) systems will operate using signature based detection of payloads for known patterns of maliciousness. Continuous update on AV signatures from different live services will reduce cost and effort at labelling well-known malware. In a possible embodiment, extra information to eliminate potential duplication of malware could be obtained from standardized repositories as defined in MAEC (Malware Attribute Enumeration and Characterization) [33]. In other embodiment, the malware Analyser is also capable of producing the following information related to a certain malware specification: name, common vulnerabilities exploited, and the operative system and services affected. In yet another embodiment, static [34] and dynamic [35] techniques for analysis of malicious code can be deployed for this module.

The third stage takes place within the VMP which represents a separated subsystem for instantiating a network configuration using virtual machines to prove encountered attacks, as depicted in Figure 5. In this context, the more information about the affected vulnerabilities provided by the malware Analyser in the previous phase, the more information the VMP has for deploying the most appropriate virtual network configuration. By contrast, when no information is returned by the Analyser, a zero-day malware have been then discovered and, therefore, an adequate configuration for the virtual network is set by default. In any case, virtual machines will host the malicious software together with a SI EM system instance which is responsible of collecting the virtualized events as a result of the proved malware's activity. To some extent, the SI EM instance could be configured by default, or even incorporate additional security information regarding previous executions of the entire subsystem. Hence, this virtual telescope will also host different software products in different operative systems. Each network system will deploy a sensor plugged to the SI EM in order to cumulate critical events occurred on the system. Nested malware will then produce a different pattern and sequence of events than not infected systems. Typical software products such as firewalls, IDS, etc. will report valuable events for further correlation; and, therefore, will be also included in deployed virtual network.

In this invention is presented a two-stage learning process based on a simple classification: (i) positive events, and (ii) negative events evaluation. In this stage, events are defined as 'Positive' when they are reported from sensors to the SI EM.

Thus, events reported from the SI EM are analysed once again by the Analyser module as depicted in Figure 6. This additional analysis is essential to automatically generate a training set. The training set gathers in an organized way all the events' features extracted from the VMP test. This training set consists of the events labelled as 'Positive' extracted from the VMP stage as mentioned before, together with the events, labelled as 'Negative', inferred from, for example, an Artificial Immune System (AIS). For instance, the well-known AIS technique namely negative selection [48] [49] completes the classification process with the discriminatory events. With this technique, deleterious events can be removed from the Positive set of events, leading to a better convergence of the learning process. Therefore, the output of this analysis involves two different collections of events, i.e. positive registers and negative registers. Additionally, if the analysed malware is part of the aforementioned zero-day attack, missing MAEC information is extracted in order to alleviate the impact of zero-day based attacks. For instance, if only events from Windows XP SP3 instances were reported, but not from SP1 and SP2, then the malware's attributes will be appropriately characterized according to this attack scenario. The training set allows us to apply any supervised artificial intelligence technique as well as serving as a guide to the evaluation of rules without human supervision.

Finally, the CRG creates event correlation rules by evaluating the training set and the statistical information produced by a data mining process on the positive events, as follows. Data mining gives some useful statistical data, such as the inter- arrival time between events regarding one of their features like the IP addresses or ports; these statistics assist the next phase, i.e. the intelligent rule generation, in classifying the related events into a specific type of attack. This module produces generic correlation rules for that specific malware by applying any Al-based technique. As depicted in Figure 7, the CRG then evaluates the automatically generated correlation rules with the two aforementioned collections of 'Positive' and 'Negative' registers, aimed at maximizing positives whilst minimizing negatives. Thus, the Al- based technique will return the best correlation rule generated based on the knowledge captured from the malware's behaviour. Moreover, in one embodiment CAPEC (Common Attack Pattern Enumeration and Classification) [36] or AKDL (Attack Knowledge Description Language) [38] could be used as an intermediate representation before translating the correlation rules to a specific SI EM syntax.

Produced rules are then exported to the correlation engine of the organization SIEM in production, meanwhile feeding back the SIEM correlation engine deployed over the VMP.

Embodiments of this invention comprise a framework as a whole that automates the event correlation, eliminating the human intervention during that process. In a preferred embodiment, the proposed framework is suitable to be integrated into an open source SIEM such as OSSIM [50] which can be used not only to unify the security framework management but also to monitor the sensors' activities.

In a possible embodiment, and regarding HMC module, honeynets are used in the DMZ subnetwork to capture drive-by download malware. In other embodiment, crawlers might be used to stimulate honeynet's activity.

In other possible embodiment, and regarding the Malware Analyser, collaborative efforts (most in the way of online scanning services such as Anubis [51 ], CWSandbox [52], Virus Total [53], Norman Sandbox [54], to name a few) could be used to obtain information about well-known malware.

In a particular embodiment, the proposed invention can apply Xen Hypervisor [55], i.e. a virtual machine monitor which enhances the virtualization process run in the VMP subsystem. By using hardware extensions, to build accordingly the received vulnerabilities from each network telescope, not only in terms of software, is desired. In other embodiment, system-call tracing tools and other generic malware analysis toolkits such as VMScope [21 ], TTAnalyze [56], or Ether [23] could also be used to efficiently extract malware information within our own sandbox.

Embodiments of the Event Analyser subsystem range from adopting Clustering methods to Association Rule Learning, amongst others [7].

In an advantageous embodiment, the CRG subsystem may apply evolutionary computation (EC) techniques, e.g. genetic programming (GP), to provide a machine learning of event correlation rules. This process is guided by a previously generated training set, which contains the classification of events provided by our VMP subsystems. More specifically, GP efficiently reaches the target attack's correlation rule as the best fitness individual (for more details on this genetic strategy, refer to [57]). To this regard, AIS represents another potential EC algorithm to be used in another embodiment.

The disclosed embodiments are illustrative and not restrictive.

Advantages of the invention

The main goal of this invention is to totally eliminate the need of supervision of the security expert especially in two main tasks, namely the identification of the malware behavior and the generation of the specific correlation rule which matches that encountered behavior. For instance, current SIEMs in production already depend on the existence of that supervision.

Other important advantage is focused on scalability issues. The present invention generates correlation rules which can be easily integrated into either different SI EM products or different network infrastructure. A major goal here is the suppression of any additional framework deployment in-situ.

Furthermore, the learning process is guaranteed in real-time assuming unlimited resources. However, experiments show that it is feasible to launch several deployments running up to 50 virtual machines over two nodes comprising 4 Hex-core each. In addition, it has been proven that current SIEM systems like OSSIM can dynamically and efficiently incorporate the extracted event correlation rules. Regarding optimization issues, efforts in terms of time and resources are alleviated.

A consequence of the two previous advantages, long-term costs of the automatic invention are potentially lower than the costs, e.g. salaries and training, derived from the employment of experts in these complex correlation tasks. Nevertheless, the evaluation of the trade-off between human and hardware costs should be considered.

Additionally, the introduction of SIEM systems as an essential requirement in our subsystem provides a holistic viewpoint of malware analysis as not only the sensing technology is constantly evolving and revising but also the complexity of novel multi-step attacks.

A key advantage derived from the VMP subsystem is that suspicious activities produced by a specific malware are isolated from the activities produced by any other malware, thus eliminating noise in earlier stages. Moreover, another advantage of the present invention is that both well-known and unknown malwares' signatures are detected.

Finally, mutation and/or evolution of existing malware's behavior are also identified indeed. To this regard, the feedback and collaboration between SI EM systems in production and the virtual instantiations on sandboxes make faster the recognition of the related malware from a previous categorized one.

A person skilled in the art could introduce changes and modifications in the embodiments described without departing from the scope of the invention as it is defined in the attached claims.

ACRONYMS

Al Artificial Intelligence

AIS Artificial Immune System

AKDL Attack Knowledge Description Language

CAPEC Common Attack Pattern Enumeration and Classification

CRG Correlation Rule Generation

CVE Common Vulnerabilities and Exposures

DMZ De Militarized Zone

DNS Domain Name System

EC Evolutionary Computation

GP Genetic Programming

HMC Honeynet-based Malware Collector

IDMEF Intrusion Detection Message Exchange Format

IDS Intrusion Detection System

IP Internet Protocol

MAEC Malware Attribute Enumeration and Characterization

OSSIM Open Source Security Information Management

SIEM Security Information and Event Management

SPx Servi Pack one, two or three

US United States

VM Virtual Machine

VMP Virtualized Malware Pool

WO World Intellectual Property Organization

REFERENCES

[1] A data mining approach for analysis of worm activity through automatic signature generation. Zurutuza, Urko, Uribeetxeberria, Roberto y Zamboni, Diego. Alexandria : ACM New York, 2008. 1 st ACM workshop on AlSec. 978-1-60558-291-7.

[2] Bothunter: Detecting malware infection through ids-driven dialog correlation. Gu, Guofei, y otros. Boston : USENIX Association, 2007. 16th USENIX Security Symposium on USENIX Security Symposium. Vol. 12, pags. 1-16. 1 1 1-333-5555-77-9.

[3] BotSniffer: Detecting botnet command and control channels in network traffic. Gu, G. and Zhang, J. and Lee, W. San Diego, CA, February : s.n., 2008. Proceedings of the 15th Annual Network and Distributed System Security Symposium. [4] On the detection and identification of botnets. Seewald, A.K. and Gansterer,

W.N. 1 , s.l. : Elsevier, 2010, Computers & Security, Vol. 29, pags. 45-58. 0167-4048.

[5] The use of computational intelligence in intrusion detection systems: A review. Wu, Shelly Xiaonan y Banzhaf, Wolfgang. 1 , 2010, Applied Soft Computing, Vol. 10, pags. 1-35.

[6] Lunt, T., y otros. A real-time intrusion-detection expert system (IDES). SRI International. 1992. [7] Brugger, ST. Data mining methods for network intrusion detection.

University of California, Davis, s.l. : Technique Report, 2004.

[8] Detecting network intrusions via a statistical analysis of. Bykova, M., Ostermann, S. y Tjaden, B. Athens, OH , USA : s.n., 2001. Proceedings of the 33rd Southeastern Symposium on System, pags. 309-314.

[9] Network intrusion detection using an improved competitive learning neural network. Ripley, BD. 3, s.l. : JSTOR, 1994, Journal of the Royal Statistical Society, Vol. 56, pags. 409-456. [10] An application of machine learning to network intrusion detection. Sinclair, C, Pierce, L. y Matzner, S. s.l. : IEEE, 199. Proceedings of the 15th Annual Computer Security Applications Conference, pags. 371 -377. [1 1 ] A safe mobile agent system for distributed intrusion detection. Zhong, S.C., y otros. 2003. International Conference on Machine Learning and Cybernetics. Vol. 4, pags. 2009-2014.

[12] Towards an artificial immune system for network intrusion. Kim, Jungwon y Bentley, P.J. 2001. Proceedings of the 2001 Congress on Evolutionary Computation. Vol. 2, pags. 244-252.

[13] A survey of coordinated attacks and collaborative intrusion detection. Zhou, Chenfeng Vincent, Leckie, Christopher y Karunasekera, Shanika. 1 , s.l. : Elsevier, 2010, Computers & Security, Vol. 29, pags. 124-140.

[14] A honeypot architecture for detecting and analyzing unknown network attacks. P, Diebold, A, Hess y G, Schafer. s.l. : Springer, 2005. Kommunikation in Verteilten Systemen. pags. 245-255.

[15] Effective and efficient malware detection at the end host. Kolbitsch, C, y otros. Montreal : USENIX Association, 2009. 18th Conference on USENIX security symposium, pags. 351-366. 978-1 -931971-69-0 . [16] Toward Automated Dynamic Malware Analysis Using CWSandbox.

Willems, Carsten, Holz, Thorsten y Freiling, Felix. 2, s.l. : IEEE, 2007, Security and Privacy Magazine, Vol. 5.

[17] Automated Classification and Analysis of Internet Malware. Bailey, Michael, y otros. Gold Coast, Australia : Springer Berlin/ Heidelberg, 2007. 10th international conference on Recent advances in intrusion detection, pags. 178-197. 3-540-74319-7.

[18] KAPOOR, Harsh, y otros. Systems and Methods for Processing Data Flows. WO 2007/070838 International, 21 de June de 2007. System and Method. [19] NEYSTADT, John y HUDIS, Efim. Detection of adversaries Through Collection and Correlation of Assessments. WO 2008/127843 International, 23 de October de 2008. [20] FEENEY, Bryan, POULSON, Steven y EDWARDS, John. Malware

Detection. WO 2010/067070 International, 17 de June de 2010.

[21 ] Out-of-the-box monitoring of VM-based high-interaction honeypots. Jiang, X. and Wang, X. Gold Goast, Australia : Springer-Verlag, 2007. Proceedings of the 10th international conference on Recent advances in intrusion detection, pags. 198- 218.

[22] Syversen, Jason M. Method and Apparatus for defending against Zero-day Worm based attack. 0098476 US, 24 de April de 2008. Method; Aparatus.

[23] Ether: Malware analysis via hardware virtualization extensions. Dinaburg, A. and Royal, P. and Sharif, M. and Lee, W. s.l. : ACM, 2008. Proceedings of the 15th ACM conference on Computer and communications security, pags. 51-62. [24] A virtual honeypot framework. Provos, Niels. San Diego, CA : USENIX

Association, 2004. Proceedings of the 13th conference on USENIX Security Symposium. Vol. 13.

[25] Aggregation and correlation of intrusion-detection alerts. Debar, Herve y Wespi, Andreas. Davis, CA, USA : Springer, 2001 . 4th International Symposium on Recent Advances in Intrusion Detection, pags. 85-103.

[26] An Alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks. Mathew, Sunu, Shah, Chintan y Upadhyaya, Shambhu. Oahu, Hawaii : IEEE Computer Society, 2005. International Workshop on Innovative Architecture for Future Generation High-Performance Processors and Systems, pags. 95-104. [27] Towards scalable and robust distributed intrusion alert fusion with good load balancing. Li, Zhixhun, Chen, Yan y Beach, Aaron, s.l. : ACM, 122-130. Proceedings of the SIGCOMM workshop on Large-scale attack defense.

[28] A standard audit trail format. Bishop, Matt. Madrid : DIANE Publishing, 1995. Proceedings of the National Information Systems Security Conference, pags. 136-145.

[29] Debar, H., Curry, D. y Feinstein, B. IETF RFC 4765. France Telecom, Guardian, Inc. SecureWorks The Intrusion Detection Message Exchange Format. [The Internet Engineering Task Force], s.l. : RFC Editor, March de 2007. www.ietf.org/rfc/rfc4765.txt.

[30] Lonvick, C. ISOC RFC 3164. Cisco Systems The BSD syslog Protoco. [The Internet Society]. August : RFC Editor, 2007. www.ietf.org/rfc/rfc4765.txt.

[31 ] Event Correlation in Integrated Management: Lessons Learned and Outlook. Martin-Flatin, Jean Philippe, Jakobson, Gabriel y Lewis, Lundy. 4, s.l. : Springer, 2007, Journal of Network and Systems Management, Vol. 15, pags. 481-502. [32] M2D2: A formal data model for IDS alert correlation. Morin, Benjamin, y otros. Zurich, Switzerland : Springer-Verlag, 2002. Proceedings of the 5th international conference on Recent advances in intrusion detection, pags. 1 15-137.

[33] Event summarization for system management. Peng W, Perng C, Li T, Wang H. San Jose, CA, USA : ACM, 2007. Proceedings of the13th ACM SIGKDD international conference on Knowledge discovery and data mining, pags. 1028-1032.

[34] An Online Adaptive Approach to Alert Correlation. Ren, Hanli, Stakhanova, Natalia y Ghorbani, AN. Bonn, Germany : s.n., 2010. pags. 153-172.

[35] Employing Honeynets For Network Situational Awareness. Barford, P, y otros. XII, s.l. : Springer, 2010, Cyber Situational Awareness, Vol. 46, pags. 71-102. [36] Honeycomb: creating intrusion detection signatures using honeypots. Kreibich, Christian y Crowcroft, Jon. 1 , s.l. : ACM, 2004, ACM SIGCOMM Computer Communication Review, Vol. 34, pags. 51-56. [37] Automatic Multi-step Attack Pattern Discovering. Wang L, Ghorbani A, Li Y.

2, 2010, International Journal of Network Security, Vol. 10, pags. 142-152.

[38] Towards High Level Attack Scenario Graph through Honeynet Data Correlation Analysis. Zhuge, Jianwei, y otros. s.l. : IEEE, 2006. Information Assurance Workshop, pags. 215-222.

[39] Sudaharan, Sushanthan, y otros. Honeynet Farms as an Early Warning System for Production Networks. 0101516 US, 1 1 de May de 2006. Software.

[40] Active Botnet Probing to Identify Obscure Command and Control Channels. Kolbitsch, Clemens, y otros. Montreal : USENIX Association, 2009. 18th USENIX Security Symposium. 978-1 -931971-69-0.

[41 ] A multifaceted approach to understanding the botnet phenomenon. Rajab, Moheeb Abu, y otros. Rio de Janeiro : USENIX, 2006. 6th ACM SIGCOMM Conference on Internet Measurement, pags. 41-52. 1595935614.

[42] A Survey of Cyber Attack Detection Systems. Singh, Shailendra y Silakari, Sanjay. 5, 2009, IJCSNS, Vol. 9, pags. 1-10. [43] Intrusion detection by machine learning: A review. Tsai, Chih-Fong and

Hsu, Yu-Feng and Lin, Chia-Ying and Lin, Wei-Yang. 10, s.l. : Elsevier Ltd, 2009, Expert Systems with Applications, Vol. 36, pags. 1 1994-12000.

[44] Event detection and correlation for network environments. Sifalakis, Manolis, Fry, Michael y Hutchison, David. 1 , 2010, IEEE Journal on Selected Areas in Communications, Vol. 28, pags. 60-69.

[45] RESTORE: A real-time event correlation and storage service for sensor networks. Krishnamurthy, Sudha, y otros. Chicago, IL, USA : Transducer Research Foundation TRF, 2006. Proceedings of the 3rd International Conference on Networked Sensing Systems (INSS).

[46] Limmer, Tobias y Dressier, Falko. Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems. Department of Computer Science, University of Erlangen. 2008. pag. 37.

[47] All your iframes point to us. Provos N, Mavrommatis P, Rajab MA, Monrose F. San Jose, California : s.n., 2008. Proceedings of the 17th conference on security symposium, pags. 1-15.

[48] Self-nonself discrimination in a computer. Forrest, S., y otros. Los Alamos, CA : IEEE Computer Society Press, 1994. Proceedings of the 1994 IEEE Symposiumon Research in Security and Privacy, pags. 202-212. [49] Real-valued negative selection algorithm with variable-sized detectors. Ji,

Z. y Dasgupta, D. Seattle, Washington : Springer, 2004. Genetic and Evolutionary Computation Conference, pags. 287-298.

[50] Alienvault. Open Source Security Information Management. http://www.ossim.net.

[51] Anubis. Analyzing unknown binaries, http://anubis.iseclab.org/.

[52] Toward Automated Dynamic Malware Analysis Using CWSandbox. Willems, Carsten, Holz, Thorsten y Freiling, Felix. 2, 2007, IEEE Security and Privacy Magazine, Vol. 5, pags. 32-39.

[53] Virustotal. Free online virus and malware scan, http://www.virustotal.com. [54] Norman Proactive IT Security. SandBox Online Analyzer.

http://www.norman.com/products/sandbox_online_analyzer/en.

[55] Xen. Xen Hypervisor. http://www.xen.org/products/xenhyp.html. [56] Dynamic analysis of malicious code. Bayer, Ulrich, y otros. 1 , s.l. : Springer, 2006, Journal in Computer Virology, Vol. 2, pags. 67-77. 10.1007/S1 1416-006-0012-2.

[57] Automatic Rule Generation Based on Genetic Programming for Event Correlation. Suarez-Tangil, G., y otros. Burgos : Springer, 2009. Computational Intelligence in Security for Information, pags. 127-134. Advances in Soft Computing.

Claims

Claims

1. - A method to detect malicious software, said detection of malicious software, or malware, performed at least by applying security event correlation rules to a network, characterised in that it comprises:

- capturing malware by means of a honeynet collector;

- deploying a virtual network dedicated for each captured malware;

- inferring correlation information from captured malware and events collected from execution of said captured malware in each virtual network; and

- generating event correlation rules from said inferred correlation information by means or artificial intelligence techniques.

2. - A method as per claim 1 , comprising storing an executable of captured malware in a database or discarding said executable if the hash of said captured malware matches with another previously stored, said executable being used in said each virtual network in order to get information from said captured malware.

3. - A method as per claim 1 or 2, comprising extracting information from said captured malware by using signature based detection of payloads for known patterns of maliciousness and/or static and dynamic techniques for analysis of malicious code.

4. - A method as per claim 3, further comprising using standard repositories according to Malware Attribute Enumeration and Characterisation in order to eliminate potential duplication of malware when performing said extraction of information from said captured malware.

5. - A method as per claim 3 or 4, wherein said information extracted comprises at least one of: name of said captured malware, common vulnerabilities exploited by said captured malware and operative system and services affected by said captured malware.

6. - A method as per any of previous claims, comprising deploying said virtual network with at least one virtual host in charge of hosting captured malware and with a Security Information and Event Management, or SIEM, deployment instance in charge of collecting events triggered by the activity of said captured malware.

7. - A method as per claim 6 when depending on claim 3, comprising applying a default configuration to said virtual network if it has not been possible to extract information from said captured malware.

8. - A method as per claim 6 or 7, comprising executing said capture in said virtual network in order to collect events occurred from said execution.

9.- A method as per claim 8, comprising extracting missing Malware Attribute Enumeration and Classification information from execution in said virtual network of said captured malware if it has not been possible to extract information from malware captured in said honeynet.

10.- A method as per claim 8 or 9, comprising generating said event correlation rules by evaluating a training set and statistical information produced by a data mining process on at least part of said events collected from execution of said captured malware, said training set generated by analysing events reported from said SI EM deployment instance.

1 1 .- A method as per claim 10, comprising classifying said events collected from execution of said captured malware into positive events and negative events wherein positive events are extracted from a Virtualized Malware Pool test and negative events are inferred from an Artificial Immune System.

12.- A method as per claim 1 1 , comprising using negative selection in said Artificial Immune system.

13- A method as per claim 12, wherein said training set consists of said positive events and said negative events.

14. - A method as per claim 13, further comprising generating said event correlation rules by applying an Artificial Intelligence technique to information produced by a data mining process on said positive events and evaluating said event correlation rules with said training set, said evaluation of said event correlation rules comprising maximizing positive events and minimizing negative events.

15. - A method as per claim 15, comprising translating said event correlation rules to a SI EM syntax by means of Common Attack Pattern Enumeration or Attack Knowledge Description Language.

16. - A method as per claim 14 or 15, comprising feeding back said SIEM deployment instance with said event correlation rules.

17. - A system to detect malicious software, said detection of malicious software, or malware, performed at least by applying security event correlation rules to a network, characterised in that it comprises the following elements:

- a honeynet collector in charge of capturing malware, said honeynet collector including at least one honeypot;

- a virtual machine pool in charge of at least building virtual networks wherein each of said virtual networks is dedicated for each captured malware; - an analyser module in charge of inferring correlation information from captured malware and events collected from execution of said captured malware in each of said virtual networks;

- a learning module in charge of generating event correlation rules from said inferred correlation information by means or artificial intelligence techniques; and

- a central module connected to said honeynet collector, said virtual machine pool, said analyser module and said learning module in charge of coordinating performance between said elements of the system.

18.- A system as per claim 17, characterised in that it comprises means for implementing the method as per any of claims 1 to 16.