Sandnet++ – A framework for analysing and visualising network traffic from malware
One important step in combating malware is to understand how it communicates over a computer network. Most malware has to communicate remotely, whether to infect further victims, exfiltrate stolen information or receive instructions.
Examining the network traffic generated by malware provides an opportunity to identify the unique features found only in malware traffic, and use these to distinguish it from benign traffic. Only if malware traffic is identifiable can it be blocked or otherwise disrupted.
This article presents Sandnet++, a framework for analysing and visualising network traffic from malware. We also present several case studies showing how the Sandnet++ framework can be used to extract malware traffic features, allowing better malware detection.