AUTOMATIC BEHAVIOUR-BASED ANALYSIS AND CLASSIFICATION SYSTEM FOR MALWARE DETECTION

Jaime Devesa, Igor Santos, Xabier Cantero, Yoseba K. Penya, Pablo G. Bringas

Abstract

Malware is any kind of program explicitly designed to harm, such as viruses, trojan horses or worms. Since the amount of malware is growing exponentially, it already poses a serious security threat. Therefore, every incoming code must be analysed in order to classify it as malware or benign software. These tests commonly combine static and dynamic analysis techniques in order to extract the major amount of information from distrustful files. Moreover, the increment of the number of attacks hinders manually testing the thousands of suspicious archives that every day reach antivirus laboratories. Against this background, we address here an automatised system for malware behaviour analysis based on emulation and simulation techniques. Hence, creating a secure and reliable sandbox environment allows us to test the suspicious code retrieved without risk. In this way, we can also generate evidences and classify the samples with several machine-learning algorithms. We have developed the proposed solution, testing it with real malware. Finally, we have evaluated it in terms of reliability and time performance, two of the main aspects for such a system to work.

References

  1. Batista, G., Prati, R., and Monard, M. (2004). A study of the behavior of several methods for balancing machine learning training data. ACM SIGKDD Explorations Newsletter, 6(1):20-29.
  2. Bayer, U., Kruegel, C., and Kirda, E. (2006). TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th Annual Conference of EICAR.
  3. Bishop, C. (2006). Pattern recognition and machine learning. Springer New York.
  4. Carrera, E. and Erdélyi, G. (2004). Digital genome mapping-advanced binary malware analysis. In Proceedings of the 14th Virus Bulletin Conference, pages 187-197.
  5. Christodorescu, M., Jha, S., and Kruegel, C. (2007). Mining specifications of malicious behavior. In Proceedings of the the 6th joint meeting of the ESEC and the ACM SIGSOFT symposium on The foundations of software engineering, pages 5-14.
  6. Ferrie, P. (2006). Attacks on virtual machine emulators. In Proc. of AVAR Conference, pages 128-143.
  7. Friedl, J. (2006). Mastering regular expressions. O'Reilly Media, Inc.
  8. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. In Proceedings of the 14th International Joint Conference on Artificial Intelligence, volume 14, pages 1137-1145.
  9. Lee, T. and Mody, J. (2006). Behavioral classification. In Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR) Conference.
  10. Moser, A., Kruegel, C., and Kirda, E. (2007). Exploring multiple execution paths for malware analysis. In Proceedings of the 28th IEEE Symposium on Security and Privacy, pages 231-245.
  11. Pietrek, M. (1994). Peering Inside the PE: A Tour of the Win32 (R) Portable Executable File Format. Microsoft Systems Journal, 3.
  12. Rieck, K., Holz, T., Willems, C., Dussel, P., and Laskov, P. (2008). Learning and Classification of Malware Behavior. Lecture Notes in Computer Science, 5137:108-125.
  13. VX-Heavens (2009). http://vx.netlux.org/.
  14. Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy, 5(2):32-39.
  15. Ye, Y., Wang, D., Li, T., Ye, D., and Jiang, Q. (2008). An intelligent PE-malware detection system based on association mining. Journal in Computer Virology, 4(4):323-334.
Download


Paper Citation


in Harvard Style

Devesa J., Santos I., Cantero X., K. Penya Y. and G. Bringas P. (2010). AUTOMATIC BEHAVIOUR-BASED ANALYSIS AND CLASSIFICATION SYSTEM FOR MALWARE DETECTION . In Proceedings of the 12th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-8425-05-8, pages 395-399. DOI: 10.5220/0002895203950399


in Bibtex Style

@conference{iceis10,
author={Jaime Devesa and Igor Santos and Xabier Cantero and Yoseba K. Penya and Pablo G. Bringas},
title={AUTOMATIC BEHAVIOUR-BASED ANALYSIS AND CLASSIFICATION SYSTEM FOR MALWARE DETECTION},
booktitle={Proceedings of the 12th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2010},
pages={395-399},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002895203950399},
isbn={978-989-8425-05-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - AUTOMATIC BEHAVIOUR-BASED ANALYSIS AND CLASSIFICATION SYSTEM FOR MALWARE DETECTION
SN - 978-989-8425-05-8
AU - Devesa J.
AU - Santos I.
AU - Cantero X.
AU - K. Penya Y.
AU - G. Bringas P.
PY - 2010
SP - 395
EP - 399
DO - 10.5220/0002895203950399