Improving antivirus accuracy with hypervisor assisted analysis

Quist, Daniel; Liebrock, Lorie M.; Neil, Joshua

doi:10.1007/s11416-010-0142-4

Cited by 14 publications

(15 citation statements)

References 12 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These instructions provide the input to our algorithms. These instruction monitoring systems have been shown to be successful in a wide range of operations [26].…”

Section: Data Collectionmentioning

confidence: 99%

“…At this time, the Ether portion of Xen is invoked and the malware is started. The sample is allowed to run for five minutes, which has been shown to be a sufficient time for execution [26].…”

Section: Data Collectionmentioning

confidence: 99%

“…Increasing the complexity of detection makes for a much more robust analysis system. We use these modifications to allow for deeper introspection of the API and import internals [26].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Graph-based malware detection using dynamic analysis

et al. 2011

Self Cite

View full text Add to dashboard Cite

We introduce a novel malware detection algorithm based on the analysis of graphs constructed from dynamically collected instruction traces of the target executable. These graphs represent Markov chains, where the vertices are the instructions and the transition probabilities are estimated by the data contained in the trace. We use a combination of graph kernels to create a similarity matrix between the instruction trace graphs. The resulting graph kernel measures similarity between graphs on both local and global levels. Finally, the similarity matrix is sent to a support vector machine to perform classification. Our method is particularly appealing because we do not base our classifications on the raw n-gram data, but rather use our data representation to perform classification in graph space. We demonstrate the performance of our algorithm on two classification problems: benign software versus malware, and the Netbull virus with different packers versus other classes of viruses. Our results show a statistically significant improvement over signature-based and other machine learning-based detection methods.

show abstract

“…These instructions provide the input to our algorithms. These instruction monitoring systems have been shown to be successful in a wide range of operations [26].…”

Section: Data Collectionmentioning

confidence: 99%

Section: Data Collectionmentioning

confidence: 99%

See 1 more Smart Citation

Graph-based malware detection using dynamic analysis

et al. 2011

Self Cite

View full text Add to dashboard Cite

show abstract

“…According to [44], five minutes is sufficient duration for the execution monitoring. We doubled this execution time to capture the malware equipped with capability of carrying out time-out attacks.…”

Section: A Experimental Datasetmentioning

confidence: 99%

Employing Program Semantics for Malware Detection

Naval

Laxmi

Rajarajan

et al. 2015

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract-In recent years, malware has emerged as a critical security threat. Additionally, malware authors continue to embed numerous anti-detection features to evade existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior-based malware detection approaches outperform the traditional signature-based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system-calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important antidetection feature of modern malware, i.e., system-call injection attack. This attack allows the malicious binaries to inject irrelevant and independent system-calls during the program execution thus modifying the execution sequences defeating the existing system-call based detection. To address this problem, we propose an evasion-proof solution that is not vulnerable to system-call injection attacks. Our proposed approach precisely characterizes the program semantics using Asymptotic Equipartition Property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract the information-rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call-injection attacks as the discriminating components are not directly visible to malware authors. This particular characteristic of proposed approach hampers a malware author's aim of defeating our approach. We run a thorough set of experiments to evaluate our solution and compare it with existing systemcall based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances. Permanent repository link

show abstract

“…On the other hand, using dynamic data sources, the percentage of false positives that were packed is the same as the packed percentage of the training data, which would offer support for the kernels based on these data sources not being deceived by the packer. Although the dynamic traces of packed files will also have an unpacking "footprint", it has been shown that 5 minutes for a dynamic trace is enough time for a significant number of the instructions to represent the true behavior of the program [34]. A notable exception of static sources stumbling on programs that were packed is the disassembled data source (and the control flow graph which is based on the disassembled data source), but to get these data sources, we first had to unpack the binary.…”

Section: Observationsmentioning

confidence: 99%

Improving malware classification

Anderson

Storlie

Lane

2012

Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence

View full text Add to dashboard Cite

Malware classification systems have typically used some machine learning algorithm in conjunction with either static or dynamic features collected from the binary. Recently, more advanced malware has introduced mechanisms to avoid detection in these views by using obfuscation techniques to avoid static detection and execution-stalling techniques to avoid dynamic detection. In this paper we construct a classification framework that is able to incorporate both static and dynamic views into a unified framework in the hopes that, while a malicious executable can disguise itself in some views, disguising itself in every view while maintaining malicious intent will prove to be substantially more difficult. Our method uses kernels to place a similarity metric on each distinct view and then employs multiple kernel learning to find a weighted combination of the data sources which yields the best classification accuracy in a support vector machine classifier. Our approach opens up new avenues of malware research which will allow the research community to elegantly look at multiple facets of malware simultaneously, and which can easily be extended to integrate any new data sources that may become popular in the future.

show abstract

Improving antivirus accuracy with hypervisor assisted analysis

Cited by 14 publications

References 12 publications

Graph-based malware detection using dynamic analysis

Graph-based malware detection using dynamic analysis

Employing Program Semantics for Malware Detection

Improving malware classification

Contact Info

Product

Resources

About