A survey on automated dynamic malware-analysis techniques and tools

Egele, Manuel; Scholte, Theodoor; Kirda, Engin; Kruegel, Christopher

doi:10.1145/2089125.2089126

Cited by 636 publications

(398 citation statements)

References 32 publications

Supporting

Mentioning

391

Contrasting

Unclassified

Order By: Relevance

“…Malware detectors typically use high-level information such as behavior models of programs based on system calls, accessed/created files and thread creation events [22] to capture common features of malware. In contrast, MAP uses low-level information that can be collected during the execution of programs such as architectural events, instructions and memory addresses, and the mix of executed instruction types.…”

Section: Background and Preliminaries: Sub-semantic Malware Detectionmentioning

confidence: 99%

“…The problem is especially critical for mobile environments where the energy cost of detection imposes limits on the effort that a system can dedicate to online malware detection. These difficulties often limit malware detection to static signature-based virus scanning tools [22] which have known limitations [44] that allow attackers to bypass them and remain undetected.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

112

View full text Add to dashboard Cite

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

show abstract

Section: Background and Preliminaries: Sub-semantic Malware Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

112

View full text Add to dashboard Cite

show abstract

“…Zero-day exploits also defy signature based static analysis since their signatures have not been yet encountered in the wild. This necessitates the use of dynamic detection techniques [9] that can detect the malicious behavior during execution, often based on the detection of anomalies, rather than signatures [4,16]. However, the complexity and difficulty of continuous dynamic monitoring have traditionally limited its use.…”

Section: Introductionmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.

show abstract

“…In order to thwart those threats, anti-viruses vendors adapted their detection mechanisms to Android applications. Since it uses signature based detection, this approach is designed to catch only known threats [2]. Detecting Android malware is not an easy task.…”

Section: Introductionmentioning

confidence: 99%

Using opcode-sequences to detect malicious Android applications

Jérôme

Allix

State

et al. 2014

2014 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

Abstract-Recently, the Android platform has seen its number of malicious applications increased sharply. Motivated by the easy application submission process and the number of alternative market places for distributing Android applications, rogue authors are developing constantly new malicious programs. While current anti-virus software mainly relies on signature detection, the issue of alternative malware detection has to be addressed. In this paper, we present a feature based detection mechanism relying on opcode-sequences combined with machine learning techniques. We assess our tool on both a reference dataset known as Genome Project as well as on a wider sample of 40,000 applications retrieved from the Google Play Store.

show abstract

A survey on automated dynamic malware-analysis techniques and tools

Cited by 636 publications

References 32 publications

Malware-aware processors: A framework for efficient online malware detection

Malware-aware processors: A framework for efficient online malware detection

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Using opcode-sequences to detect malicious Android applications

Contact Info

Product

Resources

About