Catching the Behavioral Differences between Multiple Executions for Malware Detection
スポンサーリンク
概要
- 論文の詳細を見る
As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same sandbox environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.
著者
-
YOSHIOKA Katsunari
Yokohama National University
-
Matsumoto Tsutomu
Yokohama National Univ. Yokohama‐shi Jpn
-
Inoue Daisuke
National Institute Of Information And Communicarions Technology
-
KASAMA Takahiro
National Institute of Information and Communications Technology
関連論文
- E2-A New 128-Bit Block Cipher(Special Section on Cryptography and Information Security)
- Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control(Application)(Cryptography and Information Security)
- On the security of Feistel Ciphers with SPN Round Function against Differential, Linear, and Truncated Differential Cryptanalysis(Special Section on Cryptography and Information Security)
- Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- 招待講演 nicter: An Incident Analysis System for the Global Internet using Correlation between Network Monitoring and Malware Analysis
- Fine-Grain Feature Extraction from Malware's Scan Behavior Based on Spectrum Analysis
- Malware Sandbox Analysis for Secure Observation of Vulnerability Exploitation
- Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities
- Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
- FOREWORD (Special Section on Cryptography and Information Security)
- Your Sandbox is Blinded: Impact of Decoy Injection to Public Malware Analysis Systems
- O-means : An Optimized Clustering Method for Analyzing Spam Based Attacks
- A Comparative Study of Unsupervised Anomaly Detection Techniques Using Honeypot Data
- Information-Flow-Based Access Control for Web Browsers
- P2P Network Traffic Analysis Using Data Mining Engines
- Effectiveness of Outline Measures of Strength against Differential and Linear Cryptanalysis (Special Section on Cryptography and Information Security)
- A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Malware Sandbox Analysis with Efficient Observation of Herder's Behavior
- Catching the Behavioral Differences between Multiple Executions for Malware Detection
- An Accurate Packer Identification Method Using Support Vector Machine
- Design and Implementation of Security for HIMALIS Architecture of Future Networks
- FOREWORD
- Catching the Behavioral Differences between Multiple Executions for Malware Detection