GQ: Practical Containment for Measuring Modern Malware Systems

TitleGQ: Practical Containment for Measuring Modern Malware Systems
Publication TypeTechnical Report
Year of Publication2011
AuthorsKreibich, C., Weaver N., Kanich C., Cui W., & Paxson V.
Other Numbers3133

Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints, however, demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution “farm” that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ’s architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.


This work was partially supported by funding provided to ICSI through National Science Foundation grant CNS-0433702 (“CCIED: Collaborative Center for Internet Epidemiology and Defenses”). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

Bibliographic Notes

ICSI Technical Report TR-11-002

Abbreviated Authors

C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Technical Report