Deriving common malware behavior through graph clustering
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Labeling library functions in stripped binaries
Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools
JACKSTRAWS: picking command and control connections from bot traffic
SEC'11 Proceedings of the 20th USENIX conference on Security
Dynamic behavior matching: a complexity analysis and new approximation algorithms
CADE'11 Proceedings of the 23rd international conference on Automated deduction
Malware analysis with tree automata inference
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
The power of procrastination: detection and mitigation of execution-stalling malicious code
Proceedings of the 18th ACM conference on Computer and communications security
Supporting velocity of investigation with behavior analysis of malware
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Malware characteristics and threats on the internet ecosystem
Journal of Systems and Software
Customized normalcy profiles for the detection of targeted attacks
EvoApplications'12 Proceedings of the 2012t European conference on Applications of Evolutionary Computation
Quantitative analysis for privacy leak software with privacy Petri net
Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics
Recognizing malicious software behaviors with tree automata inference
Formal Methods in System Design
A similarity metric method of obfuscated malware using function-call graph
Journal in Computer Virology
DiffSig: resource differentiation based malware behavioral concise signature generation
ICT-EurAsia'13 Proceedings of the 2013 international conference on Information and Communication Technology
Using file relationships in malware classification
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
DroidChameleon: evaluating Android anti-malware against transformation attacks
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Vetting undesirable behaviors in android apps with permission use analysis
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Extraction of statistically significant malware behaviors
Proceedings of the 29th Annual Computer Security Applications Conference
Towards automatic software lineage inference
SEC'13 Proceedings of the 22nd USENIX conference on Security
Generating Lightweight Behavioral Signature for Malware Detection in People-Centric Sensing
Wireless Personal Communications: An International Journal
Hi-index | 0.00 |
Fueled by an emerging underground economy, malware authors are exploiting vulnerabilities at an alarming rate. To make matters worse, obfuscation tools are commonly available, and much of the malware is open source, leading to a huge number of variants. Behavior-based detection techniques are a promising solution to this growing problem. However, these detectors require precise specifications of malicious behavior that do not result in an excessive number of false alarms. In this paper, we present an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based on graph mining and concept analysis, scales to large classes of programs due to probabilistic sampling of the specification space. Our implementation, called Holmes, can synthesize discriminative specifications that accurately distinguish between programs, sustaining an 86% detection rate on new, unknown malware, with 0 false positives, in contrast with 55% for commercial signature-based antivirus (AV) and 62-64% for behavior-based AV (commercial or research).