When Virtual Is Better Than Real
HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Problem-Solving Methods in Artificial Intelligence
Problem-Solving Methods in Artificial Intelligence
Cobra: Fine-grained Malware Analysis using Stealth Localized-executions
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Behavior-based spyware detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Mining specifications of malicious behavior
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
Implicit operating system awareness in a virtual machine monitor
Implicit operating system awareness in a virtual machine monitor
VMM-based hidden process detection and identification using Lycosid
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Characterizing Bots' Remote Control Behavior
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
"Out-of-the-Box" monitoring of VM-based high-interaction honeypots
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
How Good Are Malware Detectors at Remediating Infected Systems?
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
A Framework for Behavior-Based Malware Analysis in the Cloud
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
AccessMiner: using system-centric models for malware protection
Proceedings of the 17th ACM conference on Computer and communications security
Take a deep breath: a stealthy, resilient and cost-effective botnet using skype
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Expressive, efficient and obfuscation resilient behavior based IDS
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Automatic discovery of parasitic malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Automatic generation of remediation procedures for malware infections
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Behavior abstraction in malware analysis
RV'10 Proceedings of the First international conference on Runtime verification
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Operating system interface obfuscation and the revealing of hidden operations
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Dynamic behavior matching: a complexity analysis and new approximation algorithms
CADE'11 Proceedings of the 23rd international conference on Automated deduction
Proceedings of the 4th ACM workshop on Security and artificial intelligence
KLIMAX: profiling memory write patterns to detect keystroke-harvesting malware
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Shadow attacks: automatically evading system-call-behavior based malware detection
Journal in Computer Virology
Quantitative analysis for privacy leak software with privacy Petri net
Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics
A quantitative study of accuracy in system call-based malware detection
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Pinpointing malicious activities through network and system-level malware execution behavior
ICCSA'12 Proceedings of the 12th international conference on Computational Science and Its Applications - Volume Part IV
Efficient runtime policy enforcement using counterexample-guided abstraction refinement
CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Lines of malicious code: insights into the malicious software industry
Proceedings of the 28th Annual Computer Security Applications Conference
Detecting and preventing activex API-Misuse vulnerabilities in internet explorer
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
A methodology for testing CPU emulators
ACM Transactions on Software Engineering and Methodology (TOSEM) - Testing, debugging, and error handling, formal methods, lifecycle concerns, evolution and maintenance
Extraction of statistically significant malware behaviors
Proceedings of the 29th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
We address the semantic gapproblem in behavioral monitoring by using hierarchical behavior graphs to infer high-level behaviors from myriad low-level events. Our experimental system traces the execution of a process, performing data-flow analysis to identify meaningful actions such as "proxying", "keystroke logging", "data leaking", and "downloading and executing a program" from complex combinations of rudimentary system calls. To preemptively address evasive malware behavior, our specifications are carefully crafted to detect alternative sequences of events that achieve the same high-level goal. We tested eleven benign programs, variants from seven malicious bot families, four trojans, and three mass-mailing worms and found that we were able to thoroughly identify high-level behaviors across this diverse code base. Moreover, we effectively distinguished malicious execution of high-level behaviors from benign by identifying remotely-initiated actions.