Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis

Severi, Giorgio; Leek, Tim; Dolan-Gavitt, Brendan

doi:10.1007/978-3-319-93411-2_1

Cited by 25 publications

(20 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In a real world scenario dropped files could be in principle collected and analyzed separately, which is equivalent to our solution of restarting the clock for dropped files. Overall, our recording system is similar to the one used by Malrec [87] but we adapted the solution to the new PANDA version 2 while the current Malrec dataset is available for PANDA 1 only.…”

Section: A System Overviewmentioning

confidence: 99%

“…The importance of these tools has brought to a proliferation of different platforms, resulting in a large number of both open source and commercial sandbox solutions [1]- [3], [9]. Moreover, fifteen years of research in the field has covered a wide range of technical aspects and proposed new solutions dedicated to the dynamic analysis of malicious samples [19], [34], [53], [83], [87], [101], [106].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The amount of time in which a sample is executed is one of the key parameters of a malware analysis sandbox. Setting the threshold too high hinders the scalability and reduces the number of samples that can be analyzed in a day; too low and the samples may not have the time to show their malicious behavior, thus reducing the amount and quality of the collected data. Therefore, an analyst needs to find the 'sweet spot' that allows to collect only the minimum amount of information required to properly classify each sample. Anything more is wasting resources, anything less is jeopardizing the experiments. Despite its importance, there are no clear guidelines on how to choose this parameter, nor experiments that can help companies to assess the pros and cons of a choice over another. To fill this gap, in this paper we provide the first large-scale study of the impact that the execution time has on both the amount and the quality of the collected events. We measure the evolution of system calls and code coverage, to draw a precise picture of the fraction of runtime behavior we can expect to observe in a sandbox. Finally, we implemented a machine learning based malware detection method, and applied it to the data collected in different time windows, to also report on the relevance of the events observed at different points in time. Our results show that most samples run for either less than two minutes or for more than ten. However, most of the behavior (and 98% of the executed basic blocks) are observed during the first two minutes of execution, which is also the time windows that result in a higher accuracy of our ML classifier. We believe this information can help future researchers and industrial sandboxes to better tune their analysis systems.

show abstract

Section: A System Overviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Another challenge is represented by nondeterministic factors in the execution. Recorded traces during phase one could not be directly repeatable [18] due to nondeterminism in OS interactions, the network or other external factors such as time sources. Since we implemented our approach on top of S2E [7], a framework for whole-system analysis, some of these issues could be mitigated in practice.…”

Section: Discussionmentioning

confidence: 99%

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Borzacchiello

Coppa

D’Elia

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim's machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

show abstract

“…We employed the MalRec dataset [8] created by Georgia Tech over the course of two years. With over 66,000+ malware recordings from Windows 7 32-bit machines using the QEMU virtualization software, our infrastructure extracts 1 GB memory snapshots at 0% of the QEMU recording, a random percent between 5% and 95%, and finally a snapshot at 99% of the execution of the recording.…”

Section: Datasets 21 Compromised (Malicious) Snapshotsmentioning

confidence: 99%

“…Systems such as Akatosh by Smith et al [10] provide the ability to scalably ingest memory images from hosts, as well as others such as Endcase [2]. Our system utilizes a multi-hundred TB dataset of both compromised host memory snapshots extracted from the MalRec dataset [8] and the first known dataset of benign host memory snapshots running normal, non-compromised software. After an average of 30-45 seconds of pre-processing on a single memory snapshot, our system leverages both traditional machine learning and deep learning algorithms to achieve an average of 98% accuracy of detecting a compromised host, with over 3,000 samples for our Convolutional Neural Network, and over 9,000 samples for our traditional machine learning models.…”

Section: Introductionmentioning

confidence: 99%

Towards Architecture and OS-Independent Malware Detection via Memory Forensics

Petrik

Arik

Smith

2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

In this work, we take a fundamentally different approach to the problem of analyzing a device for compromises via malware; our approach is OS and instruction architecture independent and relies only on having the raw binary data extracted from the memory dump of a device. Our system leverages a multi-hundred TB dataset of both compromised host memory dumps extracted from the Mal-Rec dataset [8] and the first known dataset of benign host memory dumps running normal, non-compromised software. After an average of 30 to 45 seconds of pre-processing on a single memory dump, our system leverages both traditional machine learning and deep learning algorithms to achieve an average of 98% accuracy of detecting a compromised host. CCS CONCEPTS • Security and privacy → Malware and its mitigation; Intrusion detection systems; • Computing methodologies → Supervised learning;

show abstract

Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis

Cited by 25 publications

References 24 publications

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Towards Architecture and OS-Independent Malware Detection via Memory Forensics

Contact Info

Product

Resources

About