Dynamically discovering likely program invariants to support program evolution
Proceedings of the 21st international conference on Software engineering
Tracking down software bugs using automatic anomaly detection
Proceedings of the 24th International Conference on Software Engineering
A Flexible Containment Mechanism for Executing Untrusted Code
Proceedings of the 11th USENIX Security Symposium
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
AINA '05 Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Pin: building customized program analysis tools with dynamic instrumentation
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
A semantics-based approach to malware detection
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A Feature Selection and Evaluation Scheme for Computer Virus Detection
ICDM '06 Proceedings of the Sixth International Conference on Data Mining
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Secure mobile code execution service
LISA '06 Proceedings of the 20th conference on Large Installation System Administration
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Virtual honeypots: from botnet tracking to intrusion detection
Virtual honeypots: from botnet tracking to intrusion detection
A framework for defending embedded systems against software attacks
ACM Transactions on Embedded Computing Systems (TECS)
INVISIOS: A Lightweight, Minimally Intrusive Secure Execution Environment
ACM Transactions on Embedded Computing Systems (TECS)
Compiler help for binary manipulation tools
Euro-Par'12 Proceedings of the 18th international conference on Parallel processing workshops
Towards trustworthy medical devices and body area networks
Proceedings of the 50th Annual Design Automation Conference
| Hi-index | 0.00 |
Malware is at the root of a large number of information security breaches. Despite widespread effort devoted to combating malware, current techniques have proven to be insufficient in stemming the incessant growth in malware attacks. In this paper, we describe a tool that exploits a combination of virtualized (isolated) execution environments and dynamic binary instrumentation (DBI) to detect malicious software and prevent its execution. We define two isolated environments: (i) a Testingenvironment, wherein an untrusted program is traced during execution using DBI and subjected to rigorous checks against extensive security policies that express behavioral patterns of malicious software, and (ii) a Realenvironment, wherein a program is subjected to run-time monitoring using a behavioral model (in place of the security policies), along with a continuous learning process, in order to prevent non-permissible behavior.We have evaluated the proposed methodology on both Linux and Windows XP operating systems, using several virus benchmarks as well as obfuscated versions thereof. Experiments demonstrate that our approach achieves almost complete coverage for original and obfuscated viruses. Average execution times go up to 28.57X and 1.23X in the Testingand Realenvironments, respectively. The high overhead imposed in the Testingenvironment does not create a severe impediment since it occurs only once and is transparent to the user. Users are only affected by the overhead imposed in the Realenvironment. We believe that our approach has the potential to improve on the state-of-the-art in malware detection, offering improved accuracy with low performance penalty.