Testing malware detectors

Christodorescu, Mihai; Jha, Somesh

doi:10.1145/1007512.1007518

Cited by 171 publications

(126 citation statements)

References 16 publications

Supporting

Mentioning

113

Contrasting

Unclassified

Order By: Relevance

“…Recall cost function (8) that is used during the sequence comparison step where and are adjustable parameters in order to assign appropriate weights to our two components. In all our experiments, we chose = 1.6 and = 0.4.…”

Section: Cost Constantsmentioning

confidence: 99%

See 1 more Smart Citation

Compression-based analysis of metamorphic malware

Lee

Austin

Stamp

2015

IJSN

View full text Add to dashboard Cite

Compression-based Analysis of Metamorphic Malware by Jared LeeRecent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps, file segmentation and sequence comparison, to calculate file similarity. In another previous work, it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio of a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper, we attempt to combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that even after malware is transformed using a metamorphic engine, the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware, we compare our results with previous work. ACKNOWLEDGMENTS

show abstract

Section: Cost Constantsmentioning

confidence: 99%

“…This feature makes them very difficult to detect since the obfuscation used by metamorphic engines can allow them to defeat traditional malware detectors based on pattern matching [8,35].…”

Section: Introductionmentioning

confidence: 99%

Compression-based analysis of metamorphic malware

Lee

Austin

Stamp

2015

IJSN

View full text Add to dashboard Cite

show abstract

“…The Malware attack mechanism can be identified either on the OSI Application layer with Antivirus software, or in the OSI Network layer by IDS software [31]. Malware can be identified directly and the accuracy of the identification is high with a low false positive rate.…”

Section: Attack Mechanism Determinationmentioning

confidence: 99%

“…False positive is when a classifier classifies some item as harmful incorrectly [32]. Malware that is not detectable is also a concern [31]. False negative refers to malware that is not detected.…”

Section: Attack Mechanism Determinationmentioning

confidence: 99%

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Heerden

Malan

Mouton

et al. 2014

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.

show abstract

“…An example is the MetaPHOR system (c.f., [10]), which has become the basis for many other metamorphic malware propagation systems. Reversing these obfuscations to obtain reliable feature sets for signature-based detection is the subject of much current research [9,11,12], but case studies have shown that current antivirus detection schemes remain vulnerable to simple obfuscation attacks until the detector's signature database is updated to respond to the threat [13].…”

Section: Related Workmentioning

confidence: 99%

Exploiting an antivirus interface

Hamlen

Mohan

Masud

et al. 2009

Computer Standards & Interfaces

View full text Add to dashboard Cite

We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, revealing binary obfuscations that suffice to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justifies the effectiveness of our approach.

show abstract

Testing malware detectors

Cited by 171 publications

References 16 publications

Compression-based analysis of metamorphic malware

Compression-based analysis of metamorphic malware

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Exploiting an antivirus interface

Contact Info

Product

Resources

About