Malware Obfuscation Techniques: A Brief Survey

You, Ilsun; Yim, Kangbin

doi:10.1109/bwcca.2010.85

Cited by 391 publications

(248 citation statements)

References 12 publications

Supporting

Mentioning

247

Contrasting

Unclassified

Order By: Relevance

“…For example, AV TEST reports that 220,000 new malicious programs are registered to be examined every day and around 220 million total malware signatures are available in their malware zoo in the first quarter of 2014 [2]. Moreover, detection is becoming more difficult due to the increasing use of metamorphic and polymorphic malware [37]. Zero-day exploits also defy signature based static analysis since their signatures have not been yet encountered in the wild.…”

Section: Introductionmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.

show abstract

Section: Introductionmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

show abstract

“…Based on the analyst's decision, proper detection signature is developed. In contrast, a number of anti-analysis techniques have been developed by malware authors to disrupt malware analysis process, and impede further investigations [13,14].…”

Section: Limitations Of Dynamic Analysis Methods From a Digital Forenmentioning

confidence: 99%

“…Malware developers employ different methods to impede dynamic analysis of malware and malicious code investigation [14]. A prevalent feature in malware is the frequent collection of intelligence about the surrounding environment and attempting to detect whether it is an analysis or debugging environment.…”

Section: Multiple Malicious Execution Pathsmentioning

confidence: 99%

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Shosha

James

Hannaway

et al. 2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Digital forensic investigators commonly use dynamic malwareanalysis methods to analyze a suspect executable found during a post-mortem analysis of the victim's computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In this research, the limitations of the use of current dynamic malware analysis methods in digital forensic investigations are highlighted. In addition, a method to profile dynamic kernel memory to complement currently proposed dynamic profiling techniques is proposed. The proposed method will allow investigators to automate the identification of malicious kernel objects during a post-mortem analysis of the victim's acquired memory. The method is implemented in a prototype malware analysis environment to automate the process of profiling malicious kernel objects and assist malware forensic investigation. Finally, a case study is given to demonstrate the efficacy of the proposed approach.

show abstract

“…The detection of metamorphic malware, in particular, remains a challenging area of research due to various complexities involved [6,33].…”

Section: Introductionmentioning

confidence: 99%

“…It has also been shown that metamorphic malware can be clustered by using compression ratios as a measure of Kolmogorov complexity [29]. Unfortunately, there are a multitude of obfuscation techniques that render malware detection through static analysis either much less effective or highly resource intensive [6,23,33].…”

Section: Introductionmentioning

confidence: 99%

Compression-based analysis of metamorphic malware

Lee

Austin

Stamp

2015

IJSN

View full text Add to dashboard Cite

Compression-based Analysis of Metamorphic Malware by Jared LeeRecent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps, file segmentation and sequence comparison, to calculate file similarity. In another previous work, it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio of a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper, we attempt to combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that even after malware is transformed using a metamorphic engine, the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware, we compare our results with previous work. ACKNOWLEDGMENTS

show abstract

Malware Obfuscation Techniques: A Brief Survey

Cited by 391 publications

References 12 publications

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Compression-based analysis of metamorphic malware

Contact Info

Product

Resources

About