Malware, such as computer viruses, worms, and bots, has been recognized as one of the major security threats in the Internet environment, and a large amount of research and development is taking place to find effective countermeasures. These countermeasures are mainly based on either macroscopic or microscopic analysis. Macroscopic analysis is based on monitoring the network in order to grasp the global trends of malware propagations while microscopic analysis investigates malware executables to identify the details of how they behave. We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), where both kinds of analysis are highly integrated. By integrating and correlating the results from the both two approaches, the nicter binds phenomena, i.e., scans observed by network monitoring with their root causes, i.e., malwares. Previous analysis of malware has mainly focused on their internal behavior in the system. However, in order to achieve such a goal, it is crucial that the microscopic analysis extracts a malware's external behavior towards the network. We propose a novel way to analyze malware behavior: focus closely on the malware's external behavior. A malware sample is executed on a real machine that is connected to a virtual Internet environment called a "miniature network". Since this analysis environment is totally isolated from the real Internet, the execution of the sample, unlike in previously proposed methods, causes no further unwanted propagation. Furthermore, the behavioral analysis is carried out in two passes. In the first pass, in order to extract a wider variety of network behaviors from the sample, the miniature network responds as interactively as possible. In the second pass, to make only suitable response that will enable us to concentrate on specific behavior, namely scan behaviors, the miniature network is configured on the basis of the first pass result. We also present concrete analysis results that are gained by using the proposed method.
