As the primary vehicle for most organized cybercrimes, malicious software (or malware) has become one of the most serious threats to computer systems and the Internet. With the recent advent of automated malware development toolkits, it has become relatively easy, even for marginally skilled adversaries, to create and mutate malware, bypassing Anti-Virus (AV) detection. This has led to a surge in the number of new malware threats and has created several major challenges for the AV industry. AV companies typically receive tens of thousands of suspicious samples daily. However, the overwhelming number of new malware easily overtax the available human resources at AV companies, making them less responsive to emerging threats and leading to poor detection rates. To address these issues, this dissertation proposes several new and scalable systems to facilitate malware analysis and detection, with the focus on a central theme: “automation and scalability”. This dissertation makes four primary contributions. First, it builds a large-scale malware database management system called SMIT that addresses the challenges of determining whether a suspicious sample is indeed malicious. SMIT exploits the insight that most new malicious samples are simple syntactic variations of existing malware. Thus, one way to ascertain the maliciousness of an unknown sample is to check if it is sufficiently similar to any existing malware. SMIT is designed to make such decisions efficiently using malware's function call graph—a high-level structural representation that is less susceptible to the low-level obfuscation employed by malware writers to evade detection. Second, the dissertation develops an automatic malware clustering system called MutantX. By quickly grouping similar samples into clusters, MutantX allows malware analysts to focus on representative samples and automatically generate labels based on samples' association with existing groups. Third, this dissertation introduces a signature-generation system, called Hancock, that automatically creates high-quality string signatures with extremely low false-positive rates. Finally, observing that two widely used malware analysis approaches—i.e., static and dynamic analyses—have their respective pros and cons, this dissertation proposes a novel system that optimally integrates static-feature and dynamic-behavior based malware clusterings, mitigating their respective shortcomings without losing their merits.
Cited By
- Pan Y, An J, Fan W and Huang W Shellfier Proceedings of the 2019 8th International Conference on Software and Computer Applications, (462-466)
- Ye Y, Li T, Adjeroh D and Iyengar S (2017). A Survey on Malware Detection Using Data Mining Techniques, ACM Computing Surveys, 50:3, (1-40), Online publication date: 31-May-2018.
Recommendations
Signature Generation and Detection of Malware Families
ACISP '08: Proceedings of the 13th Australasian conference on Information Security and PrivacyMalware detection and prevention is critical for the protection of computing systems across the Internet. The problem in detecting malware is that they <em>evolve</em>over a period of time and hence, traditional signature-based malware detectors fail to ...
Enhancing malware detection: clients deserve more protection
Sophisticated malware is designed to spread over the network and infect as many connected client machines as possible before being detected. Network security engineers have always been challenged to detect and track down such malware before infecting ...
Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesMalicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...