ABSTRACT
We propose a novel behavioral malware detection approach based on a generic system-wide quantitative data flow model. We base our data flow analysis on the incremental construction of aggregated quantitative data flow graphs. These graphs represent communication between different system entities such as processes, sockets, files or system registries. We demonstrate the feasibility of our approach through a prototypical instantiation and implementation for the Windows operating system. Our experiments yield encouraging results: in our data set of samples from common malware families and popular non-malicious applications, our approach has a detection rate of 96% and a false positive rate of less than 1.6%. In comparison with closely related data flow based approaches, we achieve similar detection effectiveness with considerably better performance: an average full system analysis takes less than one second.
- S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC), 3(3):186--205, 2000. Google ScholarDigital Library
- U. Bayer. Large-Scale Dynamic Malware Analysis. PhD thesis, Technische Universitat Wien, 2009.Google Scholar
- J.-M. Borello and L. Me. Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology, pages 211--220, 2008.Google Scholar
- M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proceedings of the 1st India Software Engineering Conference, pages 5--14, 2008. Google ScholarDigital Library
- M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantics-Aware Malware Detection. 2005 IEEE Symposium on Security and Privacy (S&P'05), pages 32--46, 2005. Google ScholarDigital Library
- G. Creech and J. Hu. A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. Computers, IEEE Transactions on, pages 1--1, 2013.Google Scholar
- M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), page 6, 2012. Google ScholarDigital Library
- K. O. Elish, D. Yao, and B. G. Ryder. User-centric dependence analysis for identifying malicious mobile apps. In Workshop on Mobile Security Technologies, 2012.Google Scholar
- S. Forrest, S. Hofmeyr, a. Somayaji, and T. Longstaff. A sense of self for Unix processes. Proceedings of Symposium on Security and Privacy, pages 120--128, 1996. Google ScholarDigital Library
- M. Fredrikson, M. Christodorescu, J. Giffin, and S. Jhas. A declarative framework for intrusion analysis. In Cyber Situational Awareness, pages 179--200. 2010.Google ScholarCross Ref
- M. Fredrikson, M. Christodorescu, and S. Jha. Dynamic behavior matching: A complexity analysis and new approximation algorithms. Automated Deduction-CADE-23, pages 252--267, 2011. Google ScholarDigital Library
- M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. 2010 IEEE Symposium on Security and Privacy, pages 45--60, 2010. Google ScholarDigital Library
- A. K. Ghosh, A. Schwartzbard, and M. Schatz. Learning program behavior profiles for intrusion detection. In Proceedings of the 1st Conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1, pages 6--6, 1999. Google ScholarDigital Library
- S. T. King and P. M. Chen. Backtracking intrusions. In ACM SIGOPS Operating Systems Review, pages 223--236, 2003. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th Conference on USENIX Security Symposium, 2006. Google ScholarDigital Library
- C. Kolbitsch and P. Comparetti. Effective and Efficient Malware Detection at the End Host. USENIX, 2009. Google ScholarDigital Library
- A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: Using system-centric models for malware protection. In Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 399--412, 2010. Google ScholarDigital Library
- J. Lee, K. Jeong, and H. Lee. Detecting metamorphic malwares using code graphs. Proceedings of the 2010 ACM Symposium on Applied Computing, 2010. Google ScholarDigital Library
- W. Lee, S. J. Stolfo, and P. K. Chan. Learning patterns from unix process execution traces for intrusion detection. In AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pages 50--56, 1997.Google Scholar
- P. O'Kane, S. Sezer, and K. McLaughlin. Obfuscation: The hidden malware. Security Privacy, IEEE, 2011. Google ScholarDigital Library
- Y. Park and D. Reeves. Deriving common malware behavior through graph clustering. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011. Google ScholarDigital Library
- Y. Park, D. S. Reeves, and M. Stamp. Deriving common malware behavior through graph clustering. Computers & Security, 2013. Google ScholarDigital Library
- M. Preda, M. Christodorescu, S. Jha, and S. Debray. A semantics-based approach to malware detection. ACM SIGPLAN Notices, pages 1--12, 2007. Google ScholarDigital Library
- T. Raffetseder, C. Krugel, and E. Kirda. Detecting system emulators. In Information Security, pages 1--18. 2007. Google ScholarDigital Library
- K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. Journal of Computer Security, pages 639--668, 2011. Google ScholarDigital Library
- C. Rossow, C. Dietrich, and H. Bos. Large-scale analysis of malware downloaders. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 42--61. 2013. Google ScholarDigital Library
- M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In NDSS, 2008.Google Scholar
- Symantec. Malware database, Nov. 2013.Google Scholar
- P. Szor. The Art of Computer Virus Research and Defense. 2005. Google ScholarDigital Library
- C. Wressnegger, G. Schwenk, D. Arp, and K. Rieck. A close look on n-grams in intrusion detection: anomaly detection vs. classification. In Proceedings of the 2013 ACM workshop on Artificial intelligence and security, pages 67--76, 2013. Google ScholarDigital Library
- T. Wuchner and A. Pretschner. Data loss prevention based on data-driven usage control. In Software Reliability Engineering (ISSRE), 2012 IEEE 23rd International Symposium on, pages 151--160, Nov 2012.Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 116--127, 2007. Google ScholarDigital Library
- I. You and K. Yim. Malware obfuscation techniques: A brief survey. In Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on, pages 297--300, 2010. Google ScholarDigital Library
Index Terms
- Malware detection with quantitative data flow graphs
Recommendations
A Survey on Malware Detection Using Data Mining Techniques
In the Internet age, malware (such as viruses, trojans, ransomware, and bots) has posed serious and evolving security threats to Internet users. To protect legitimate users from these threats, anti-malware software products from different companies, ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISecA popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and NetworkingMalware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...
Comments