Results 1 - 10
of
14
AccessMiner: Using System-Centric Models for Malware Protection
"... Models based on system calls are a popular and common approach to characterize the run-time behavior of programs. For example, system calls are used by intrusion detection systems to detect software exploits. As another example, policies based on system calls are used to sandbox applications or to e ..."
Abstract
-
Cited by 19 (1 self)
- Add to MetaCart
(Show Context)
Models based on system calls are a popular and common approach to characterize the run-time behavior of programs. For example, system calls are used by intrusion detection systems to detect software exploits. As another example, policies based on system calls are used to sandbox applications or to enforce access control. Given that malware represents a significant security threat for today’s computing infrastructure, it is not surprising that system calls were also proposed to distinguish between benign processes and malicious code. Most proposed malware detectors that use system calls follow a program-centric analysis approach. That is, they build models based on specific behaviors of individual applications. Unfortunately, it is not clear how well these models
Opcode sequences as representation of executables for data-mining-based unknown malware detection
- INFORMATION SCIENCES 227
, 2013
"... Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signa ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most widespread method used in commercial antivirus. In spite of the broad use of this method, it can detect malware only after the malicious executable has already caused damage and provided the malware is adequately documented. Therefore, the signature-based method consistently fails to detect new malware. In this paper, we propose a new method to detect unknown malware families. This model is based on the frequency of the appearance of opcode sequences. Furthermore, we describe a technique to mine the relevance of each opcode and assess the frequency of each opcode sequence. In addition, we provide empirical validation that this new method is capable of detecting unknown malware.
A Quantitative Study of Accuracy in System Call-Based Malware Detection
"... Over the last decade, there has been a significant increase in the number and sophistication of malware-related attacks and infections. Many detection techniques have been proposed to mitigate the malware threat. A running theme among existing detection techniques is the similar promises of high det ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
Over the last decade, there has been a significant increase in the number and sophistication of malware-related attacks and infections. Many detection techniques have been proposed to mitigate the malware threat. A running theme among existing detection techniques is the similar promises of high detection rates, in spite of the wildly different models (or specification classes) of malicious activity used. In addition, the lack of a common testing methodology and the limited datasets used in the experiments make difficult to compare these models in order to determine which ones yield the best detection accuracy. In this paper, we present a systematic approach to measure how the choice of behavioral models influences the quality of a malware detector. We tackle this problem by executing a large number of testing experiments, in which we explored the parameter space of over 200 different models, corresponding to more than 220 million of signatures. Our results suggest that commonly held beliefs about simple models are incorrect in how they relate changes in complexity to changes in detection accuracy. This implies that accuracy is non-linear across the model space, and that analytical reasoning is insufficient for finding an optimal model, and has to be supplemented by testing and empirical measurements.
Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis
"... Abstract. Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platf ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a ma-jor security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platform-specific binary applications into a high-level language (HLL) representa-tion, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solu-tion is based on an exploitation of two systems that were originally not intended for such an application—the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.
A Survey on Automated Dynamic Malware Analysis Techniques and Tools
"... Anti-virus vendors are confronted with a multitude of potential malicious samples today. Receiving thousands of new samples every single day is nothing uncommon. As the signatures that should detect the confirmed malicious threats are still mainly created manually, it is important to discriminate be ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
Anti-virus vendors are confronted with a multitude of potential malicious samples today. Receiving thousands of new samples every single day is nothing uncommon. As the signatures that should detect the confirmed malicious threats are still mainly created manually, it is important to discriminate between samples that pose a new unknown threat, and those that are mere variants of known malware. This survey article provides an overview of techniques that are based on dynamic analysis and that are used to analyze potentially malicious samples. It also covers analysis programs that employ these techniques to assist a human analyst in assessing, in a timely and appropriate manner, whether a given sample deserves closer manual inspection due to its unknown malicious behavior.
NOA: AN INFORMATION RETRIEVAL BASED MALWARE DETECTION SYSTEM
"... Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer s ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer security. Signature-based detection is the most widespread method used in commercial antivirus solutions. However, signature-based detection can detect malware only once the malicious executable has caused damage and has been conveniently registered and documented. Therefore, the signature-based method fails to detect obfuscated malware variants. In this paper, a new malware detection system is proposed based on information retrieval. For the representation of executables, the frequency of the appearance of opcode sequences is used. Through this architecture a malware detection system prototype is developed and evaluated in terms of performance, malware variant recall (false negative ratio) and false positive.
KLIMAX: Profiling Memory Write Patterns to Detect KeystrokeHarvesting Malware
- In International Symposium on Recent Advances in Intrusion Detection (RAID
, 2011
"... Abstract. Privacy-breaching malware is an ever-growing class of mali-cious applications that attempt to steal confidential data and leak them to third parties. One of the most prominent activities to acquire private user information is to eavesdrop and harvest user-issued keystrokes. De-spite the se ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Privacy-breaching malware is an ever-growing class of mali-cious applications that attempt to steal confidential data and leak them to third parties. One of the most prominent activities to acquire private user information is to eavesdrop and harvest user-issued keystrokes. De-spite the serious threat involved, keylogging activities are challenging to detect in the general case. From an operating system perspective, their general behavior is no different than that of legitimate applications used to implement common end-user features like custom shortcut handling and keyboard remapping. As a result, existing detection techniques that attempt to model malware behavior based on system or library calls are largely ineffective. To address these concerns, we introduce a novel detec-tion technique based on fine-grained profiling of memory write patterns. The intuition behind our model lies in data harvesting being a good pre-dictor for sensitive information leakage. To demonstrate the viability of our approach, we have designed and implemented KLIMAX: a Kernel-Level Infrastructure for Memory and eXecution profiling. Our system supports proactive and reactive detection and can be transparently de-ployed online on a running Windows platform. Experimental results with real-world malware confirm the effectiveness of our approach.
Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey
"... Malwares are big threat to digital world and evolving with high complexity. It can penetrate networks, steal confidential information from computers, bring down servers and can cripple infrastructures etc. To combat the threat/attacks from the malwares, anti- malwares have been developed. The existi ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Malwares are big threat to digital world and evolving with high complexity. It can penetrate networks, steal confidential information from computers, bring down servers and can cripple infrastructures etc. To combat the threat/attacks from the malwares, anti- malwares have been developed. The existing anti-malwares are mostly based on the assumption that the malware structure does not changes appreciably. But the recent advancement in second generation malwares can create variants and hence posed a challenge to anti-malwares developers. To combat the threat/attacks from the second generation malwares with low false alarm we present our survey on malwares and its detection techniques.
