Behavioral detection of malware: from a survey towards an established taxonomy

Jacob, Grégoire; Debar, Hervé; Filiol, Éric

doi:10.1007/s11416-008-0086-0

Cited by 178 publications

(89 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It detects anomalies in the observed behavior compared to its model of normal behavior, which is often program-specific, to identify malware. A large number of software malware detectors have been investigated that vary in terms of the monitored events, the normal behavior model, and the detection algorithm [30,51,34,33,38]. The advantage of dynamic detection is that it is resilient to metamorphic and polymorphic malware [44,39]; it can even detect previously unknown malware.…”

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

115

View full text Add to dashboard Cite

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

show abstract

Section: Related Workmentioning

confidence: 99%

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

115

View full text Add to dashboard Cite

show abstract

“…As shown by a recent quantitative analysis [40], a combination of static and dynamic analysis, creating so-called hybrid approaches, is the key to achieve the best recall and precision. We observe that previous work revolve around the concept of behavior [16,26], which is leveraged as the bridge between static an dynamic techniques. This concept has been used for various purposes, ranging from classification to analysis [21] and detection.…”

Section: Binary Analysis and Reverse Engineeringmentioning

confidence: 97%

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

When analyzing an untrusted binary, reverse engineers usually rely on ad-hoc collections of interesting dynamic patterns-known as behaviors in the malware-analysis community-and static patterns-known as signatures in the antivirus community. Such patterns are often part of the skill set of the analyst, sometimes implemented in manually-created post-processing scripts. It would be desirable to be able to automatically find such behaviors, present them to analysts, and create a systematic catalog of matching rules and relevant implementations. We propose JACKDAW, a system that finds interesting dynamic patterns, and ranks them to unveil potentially interesting behaviors. Then, it annotates them with static information, capturing the distinct implementations of each across different malware families. Finally, JACKDAW associates semantic information to the behaviors, so as to create a descriptive summary that helps the analysts in querying the catalog of behaviors by type. To do this, it leverages the dynamic information and an indexed Web-based knowledge databases. We implement and demonstrate JACKDAW on the Win32 API (even if the technique can be generalized to any OS). On a dataset of 2,136 distinct binaries, including both malicious and benign libraries and executables, we compared the behaviors extracted automatically against a ground truth of 44 behaviors created manually by expert analysts. JACKDAW found 77.3% of them and was able to exclude spurious behaviors in 99.6% cases. We also discovered 466 novel behaviors, among which manual exploration and review by expert reverse engineers revealed interesting findings and confirmed the correctness of the semantic tagging.

show abstract

“…Malware, just like any other running program, use the services provided by the host system to sent inputs to processor, memory, programs and other operating resources [12]. It works by sandbox the execution of a file and observe how the file is actually run.…”

Section: B Behavior-basedmentioning

confidence: 99%

Short Review on Metamorphic Malware Detection in Hidden Markov Models

Ling¹,

Sani

2017

IJARCSSE

View full text Add to dashboard Cite

Abstract-Metamorphic malware is well known for evading signature-based detection. To cope up with numerous malware which can emerge easily by using open source malware generator, efficient detection in terms of accuracy and runtime performance shall be considered during analysis. Detection strategies such as data mining combine with machine learning have been used by researchers for heuristically detecting malware. In this paper, we present Hidden Markov Model as an efficient metamorphic malware detection tool by exploring the common obfuscation techniques used in malware while reviewing and comparing the different studies that adopt HMM as a detection tool.

show abstract

Behavioral detection of malware: from a survey towards an established taxonomy

Cited by 178 publications

References 29 publications

Malware-aware processors: A framework for efficient online malware detection

Malware-aware processors: A framework for efficient online malware detection

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Short Review on Metamorphic Malware Detection in Hidden Markov Models

Contact Info

Product

Resources

About