System calls have long been used to profile a program as a malware. As previous system call based malware detection approaches are often process-oriented, which determines a process as a malware only by its invoking system calls, they often miss the module-based malware such as DLL-based malware and the co-working malware that splits itself into several programs and co-works to complete their functions. To deal with this problem, the system calls should be collected and analyzed as richly as before. However, analyzing rich system calls will cause a significant performance impact on the clients. Fortunately, with the evolution of distributable computing techniques such as MapReduce, we can overcome this tradeoff by analyzing the system calls for malware detection on the servers and then reduce the performance impact on the clients. In this paper, we revise the previous malware persistent model to cover the module-based and co-working malware. We also propose a MapReduce-based system call analysis method to realize the new model. This method is implemented on a Hadoop platform and uses 50 readworld malware for effective and efficient tests. The experimental results show that the detection rate can improve by 28% and performance can improve by more than 30% in comparison to previous research.
As malware becomes pervasive and fast-evolving on the Internet, every computer linking to the outer world faces the risks of malware attacks. Therefore, it is important to not only detect malware as early as possible but also to determine which computer has been attacked. Among the various methods to find and trace the existence of malware, retrospective detection is promising one. Once a threat is identified, it allows one to determine exactly which host or users open similar files by searching historical information. In the past, the huge volume of historical information represents an insurmountable barrier to such traces. Fortunately, with the evolution of cloud computing technologies, this barrier can be broken. In this paper, we propose a new retrospective detection approach based on Portable Executable (PE) format file relationships. We implement our system in a Hadoop platform and use 18 real-world malware to do effective and efficient tests. Our results show that our system has a higher detection rate as well as a lower false positive rate than the famous Splunk tool. We also find that, although cloud computing is suitable for processing a small number of huge files, it has shortcomings in dealing with a large number of small files.
Abstract. Advanced Persistent Threats (APT) are sophisticated and targetoriented cyber attacks which often leverage customized malware and bot control techniques to control the victims for remotely accessing valuable information. As the APT malware samples are specific and few, the signature-based or learning-based approaches are weak to detect them. In this paper, we take a more flexible strategy: developing a search engine for APT investigators to quickly uncover the potential victims based on the attributes of a known APT victim. We test our approach in a real APT case happened in a large enterprise network consisting of several thousands of computers which run a commercial antivirus system. In our best effort to prove, the search engine can uncover the other unknown 33 victims which are infected by the APT malware. Finally, the search engine is implemented on Hadoop platform. In the case of 440GB data, it can return the queries in 2 seconds.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.